VIRUS-L Digest Friday, 23 Dec 1994 Volume 7 : Issue 104 Today's Topics: InVircible IS Safe (PC) InVircible Software - Retraction - Please Read This (PC) Re: Virus Signature Extractor Interview Dark Avenger Re: Virus in gifs, jpegs? Re: Virus Signature Extractor Re: Virus in gifs, jpegs?, other topics (PC) Re: Mainframe Viruses? (IBM VM/CMS/etc) Re: Of what value is McAfee Netshld (PC) Re: What can a virus do ? I need HELP! Please (PC) Re: Norton Anti-Virus - How good? (PC) Re: Virus Lab (PC) Re: Unknown Virus?? (PC) Re: WIN.COM modification (PC) Re: Seeking info on "Filler" virus (PC) Re: What can a virus do ? I need HELP! Please (PC) Re: Seeking info on "Filler" virus (PC) Help - qemm errors virus related? (PC) Problems with MS-DOS AV-programs (PC) Re: FILLER and ISRAELI BOOT (IBOOT) Viruses (PC) Descript.ion Virus (PC) Re: A SETUP funny on boot : virus or what? (PC) Junkie virus (PC) Re: WIN.COM modification (PC) confused by infection(?) (PC) Re: Monkey Virus ****** Possible FIX (PC) Re: Virus Signatures needed. (PC) Re: What can a virus do ? I need HELP! Please (PC) CorelDraw 4.0 virus? (PC) can a virus survive a HD reformat (PC) RE:confused by infection(?) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 22 Dec 94 08:58:42 -0500 From: Zvi Netiv Subject: InVircible IS Safe (PC) Allegations were made against InVircible, in a series of articles published in issues 96, 98, and 100 of Virus-L, as if it had "security problems" or was "invasive". The first posts on this topic were from Mr.G (George Paulsen), alias Zeppelin (Zep), in which he claimed IV behaved strangely on his machine, in the presence of Thunderbyte's TSRs. Carefully analyzing Zep's posts revealed that they contained disguised lies with some _apparently_ true facts. Knowing who Zep was, I decided to disregard his posts, as it was obvious that Zep was fishing for information, probably because he and his colleagues were intrigued about IV. It's important to note that Zep _deliberately_ confronted InVircible with TB's TSRs as the later could reveal, to his understanding, the information that he was looking for. Zep knew that IV should not be used in concert with the Thunderbyte TSR, as it is clearly stated in IV's documentation and in its on-line help. Even if he didn't read it beforehand, I am sure he figured it out, telling from his posts. :-) Let me introduce George Paulsen to you: Aliases Zeppelin, Mr.G, Jackel and probably a few more. Paulse is a virus writer, with very little talent, if at all - his viruses never worked. Paulsen is the front man for alt.comp.virus, which among other "good deeds" distributes virus sources and code. Another of his good deeds is participating in the mail bombing going on on some of Fidonet's echoes. Paulsen was once a NuKE member (a virus writer's underground), but from what I know they extradited him for the poor code he wrote, and maybe because of other "sins" as well (plagiarism of other's code, to suggest one). At another stage of his career, Paulsen was with (or possessed) Warez, where they distributed copyrighted software, for profit! I opted to ignore Zep's posts, which turned to be a mistake, as I found later. Unfortunatelly, Zeppelin's posts caught the attention of William Hudacek, from The Bowling Green State University, Ohio. Bill swallowed Zep's baits, repeated Zep's "tests" - not knowing that he was serving Zep's mal-intended purposes, and published the unfortunate article that was brought in issue 98 of Virus-L (and was repeated in issue 100). To my dismay, Bill's article was openly soliciting to lynch InVircible. In Bill's favor I must say that when he was pointed with his mistakes, and with the consequences of his post, he issued a correction and retraction of his article, asking the moderator to post it on a priority basis. To remove the negative effects of the referred posts, here is an explanation of where Bill was mistaking, mislead by Paulsen. As a first line antivirus protection, InVircible must be capable to protect itself from being used by a virus as a propagation vector. Therefore, InVircible's modules are all equipped with a proprietary self-sanity check and auto-recovery capability (except of Flambeaux's help engine - which is the only third party component in IV). These features detect even the doings of full stealth viruses and do recover the module from their teeth! This unique capability is required to let IV function and to protect your system in an extremely hostile and illusive environment of existing and of future viruses. In order to accomplish these capabilities, InVircible uses special techniques that can be found only in few other disciplines, such as in ECCM (electronic counter counter measures). Using itself second and even third order anti spoofing techniques, no wonder that IV confuses first order anti virus TSR. This is why antivirus TSR should NOT be used with InVircible. Moreover, there is an explicit note that advises to especially avoid Thunderbyte's TSR when using IV, as they are "hostile" to IV. To further explain the specific problems caused by Thunderbyte TSRs, then here is a simple experiment anyone can do: Load TBdriver and then TBfile into memory. Now try to compress a file with one of the common run-time compression utilities - LZEXE or TYNYPROG. Either will be intercepted as "possibly viral" by TBfile, and if you use Qemm, then most chances are that your system will even hang and crash, with Qemm exception #6 or #13! As LZEXE or TYNYPROG are not viruses, of course, it is then clear that the mistake is Thunderbyte's. That's closely enough what happens when IV is run while TB's TSR are active in memory. The "solution" some users found by loading the TB TSR's through the autoexec, _after_ IV completed its tests, does not make any sense. For what it's worth, the TB TSR have no self-sanity check (you can prove it to yourself by "infecting" them with my antivirus practice lab (AVPL) - a perfectly safe way to learn about viruses), and if one of the TSR is already infected (or a new stealth memory resident virus managed to load itself already), then there is nothing that will stop that virus from smearing itself all over the system, riding on the antivirus. IV is safe against this possibility too, in fact, it is the only antivirus on the market that has generic anti-piggybacking features and sensing. To reassure the users: IV is totally safe and is the least invasive antivirus there is. It has no TSR and it does not need one, it will not cause conflicts with any well behaved software (this includes any software you like, EXCEPT anti virus TSR), and it does not cripple the computer performance or its resources (memory, speed) - unlike AV TSR are. I wish all a very good year and safe computing! Zvi Netiv, InVircible NetZ Computing, Israel ftp.netcom.com/pub/an/antivir/invircible/ ----------------------------------------------------------------------- ------------------------------ Date: Wed, 14 Dec 94 10:39:22 -0500 From: William Hudacek Subject: InVircible Software - Retraction - Please Read This (PC) To all: This posting is a followup to an article I posted on 8 December, timestamp 18:21:1. The title was InVircible Problems, Security Scares!!!!! (PC) >From the title, you may (correctly) infer two facts: a) I am not an expert in the field of 'viruses' b) I did not realize that comp.virus was a professional forum; I attributed to this group the same culture I have found in the groups which I normally follow (those which reflect my own skill-sets). I considered my article to be 'mild', compared to the contents (or lack thereof) I have noticed all too frequently in other newsgroups This is, I know, an inexcusable mistake. In the initial article mentioned above, I blithely throw out several allegations regarding NetZ Computing's InVircible anti-virus software. The set of circumstances which resulted in this article's posting are irrelevant here. My main goal is to eliminate, immediately and permanently, any doubts anyone may possibly entertain as a result of my article. InVircible is a 'sexy' product, being both easy to use and having (practically) no impact on the performance of a computer system. I am not an expert in virus technology (specifically software that currently exists to fight viruses), but I am a computer 'professional' and know high-quality software when I see it. The visible signs of interaction which upset me so were not caused by InVircible; they were caused by ThunderByte 6.25. ThunderByte, to briefly explain, includes several TSR programs that monitor, for example, file access. When InVircible is performing 'initialization' steps (eg, on system startup), it is probing the system; though the probe(s) are non-intrusive, and do not modify the state of the system in any way, the TBAV software reported InVircible's activities as *it* saw them, namely, 'harmful effects'. I fell into the trap of being sure of *what* was happening, though I had no information to base my conclusions on. This was a mistake, later borne out by information provided by those of you who _are_ expert in this field. My refusal to accept that ThunderByte could be the cause of the observed problems was 'common sense' to me at that time, but seems evidence of poor judgement through hindsight. I've been convinced, not only from the responses I received from Jeff Murphy and Zvi Netiv, but from others who repsonded privately (and thank you all!) that a) InVircible is stable as a rock, and b) these types of interactions often *appear* much more urgent than, in reality, they truly are. What this boils down to, is that, even if the mistake of running InVircible with another anti-virus program is made, that InVircible will under no circumstances cause any ill effects on a computer system. Again, I have this on very good authority, with confirmation from independent sources (and you know who you are:). I have made mistakes in this situation; I have learned from them. Please disregard my last posting as that of a misinformed, paranoid user (for that is how best to describe my reaction to the situation). In fact, I am in the process of registering for InVircible! I can unequiviocall state that this is a tremendous product, and heartily (and knowledgeably, now) recommend that anyone who is using any other anti-virus software take a good long look at InVircible. You may never want to be without it again. Cordially yours, William G. Hudacek, B.S.C.S. Bowling Green State University Bowling Green, Ohio whudace@dad.bgsu.edu ------------------------------ Date: Sat, 17 Dec 94 07:02:40 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Virus Signature Extractor Steve Tamanaha wrote: >I am looking for a program to extract virus signatures from >infected files. There are a lot of utilities that can be used here; it's what you think is a good 'signature' that matters. Try starting with DEBUG. The one that comes with dos. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sat, 17 Dec 94 14:03:04 -0500 From: fw100@fim.uni-erlangen.de (Christof Tebbe) Subject: Interview Dark Avenger Hi, some month, perhaps even nearly a year ago, an interview with Dark Avenger was posted to the internet. Has anybody archived this interview and could forward it to me? Thank you, Christof - -- - ----------------------------------------------------------------- rz94-004@wsrz1.wiso.uni-erlangen.de Christof Tebbe, Germany - ----------------------------------------------------------------- ------------------------------ Date: Sun, 18 Dec 94 07:24:33 -0500 From: jmward@cs.UCR.EDU (jonathan ward) Subject: Re: Virus in gifs, jpegs? Dana R. Billig wrote: >Just a question. > In one of the other newsgroups, someone posted a message to warn >of a virus which he called the VD virus. The poster, who did it >anonymously, claimed that the virus is encoded into gifs, jpegs and other >graphics files. Supposedly when the skin tone color is 30% or greater, >"it goes to work on your hard drive." > >[Moderator's note: Sounds like a hoax to me...] > > I did not think this was possible. If anyone knows other wise, >or has heard of this virus. Please post, or email me with any info. >This is all the information that I have about it. I would tend to agree with you and the Moderator. Graphics files are usuall;y data files, in which case a virus, while possibly imbedded in the data, will NOT infect your computer. A virus must be run to work, and graphics files are not run. The most that something like that will do is screw up how the image looks when it is displayed, due to bogus data. I know of know image display program that tries to execute code in a graphics file. I know of no graphics file format that has executable code. The ONLY possibility I can think of is an integrated viewer with the image file, in which case it's simply a data file and executable viewer combined into one file, and the virus would be attached to the executable viewer code. In other words, I'd say this guy is causing minor pain in the region of lower extremities of a detaching form, mostly in the legs. :-) -Jonathan Ward - -- University of California, Riverside - Dept. of Computer Science System Administrator, Distributed Systems Group Email to: jmward@cs.ucr.edu drdrums@dostoevsky.ucr.edu http://neuromancer/~drdrums ------------------------------ Date: Sun, 18 Dec 94 12:11:37 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus Signature Extractor stevet@fujitsu.com (Steve Tamanaha) writes: >I am looking for a program to extract virus signatures from >infected files. Well, I use DEBUG....[no :-) here] - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Sat, 17 Dec 94 00:40:49 -0500 From: Nick FitzGerald Subject: Re: Virus in gifs, jpegs?, other topics (PC) "Dana R. Billig" wrote: > In one of the other newsgroups, someone posted a message to warn > of a virus which he called the VD virus. The poster, who did it > anonymously, claimed that the virus is encoded into gifs, jpegs and other > graphics files. Supposedly when the skin tone color is 30% or greater, > "it goes to work on your hard drive." > > [Moderator's note: Sounds like a hoax to me...] Though I haven't heard anything of such a virus (not that that means a lot... 8-) ), I agree with Ken's sentiment that this is probably a hoax. Or it may be someone who has heard part of something that was either badly explained or understood and with all the best intentions, repeated an even more garbled and less comprehensible version of it (as we saw time and again the last few weeks with the "Good Times virus"). A few pointers that strongly suggest that this "warning" is meaningless: 1. Note that "skin tone" is not a "colour". Many hues are called skin tone, so the claimed trigger event--"when the skin tone color is 30% or greater"--is meaningless. 2. "it goes to work on your hard drive." What does "it" refer to here? Clearly the virus that is encoded into your graphics files. Aha! You may think that encoding a virus into a JPEG (say) is a ludicrous, clearly silly/impossible claim--well, it isn't (see later for an explanation of how). The important thing here is that viruses are - -executable-, -computer code-. A graphics file is not (normally!) "executed" in any way. You run a program (that -is- executable!) to interpret the contents of the graphics file and display that on screen. If a virus was encoded in a graphics file (or part of a virus was), you would have to have either a viewer program that knew of the extra encoding scheme to decode the virus and do something with it -or- a virus would already have to be active in memory and -it- would have to decode the virus part of the graphics file. That this level of understanding was missing from the reported warning suggests the poster of the warning really didn't know what s/he was talking about. 3. If you have something truly wothy of sharing, that helps people avoid the nuisance effects of viruses, why do it through an anonymous posting service? (Unless maybe you are the author of the virus, in which case I doubt you would display the technical shortcomings I pointed out in 2.) > I did not think this was possible. If anyone knows other wise, > or has heard of this virus. Please post, or email me with any info. What Dana describes is theoretically possible, though a virus cannot - -completely- reside in data file of any kind. JPEG compression, as typically used, is "lossy". This means that the bitmap that goes into the compression process cannot be recovered - -identically- by the decompression process. This may seem like a dreadful state of affairs, but in some cases lossy compresion is quite acceptable. One such case is high colour-depth, graphical bitmap images, where a small loss in the "precision" of the displayed image more than compensates for the much larger savings in disk storage and/or transmission time/costs that lossy compression allows compared to the best lossless compression methods. - -Very roughly-, lossy compression works by "looking" for clumps of adjacent pixels that are similarly coloured and averaging their colours. This increases "redundancy" in the image and thus increases the extent of compression possible, therefore reducing the space required to store the image. The degree to which such a process improves over lossless compression depends upon how different two pixels' colours have to be before no more pixels are added to the area before the averaging occurs. Given that some loss of fidelity is inherent in lossy image compression, it is possible to encode more information than just the image into, say, a JPEG file. This is done by sacrificing a little more picture fidelity and encoding the additional material into the last (few) bits of colour information. As these bits have least overall effect on the quality of the image eventually decompressed from the file, possibly twiddling them should cause a barely noticeable change in the compressed image, when displayed. Encoding some other file (such as (part of) a virus) into a compressed image doesn't depend upon the use of lossy compression, but is possibly less likely to be detected than if encoded into a lossless compressed image. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ********************************************************************** Subject: Re: HELP-Omega (PC) "Leblanc, Diane" wrote: > We've had some unfortunate luck on our Novell 3.11 LAN, it's been infected > by Omega, Uruguay and another that I think is called Key-cap. Please don't > ask how it happened, it's a long story! Does anyone have a fix or know > where we can get a fixes for these viruses? TIA. Before you clean this mess up and pretty much regardless of what these viruses do, you have a much more serious issue to resolve. How did files on your server/s get infected in the first place? Generally this comes down to sloppy admin and setup--the number of NW servers where even the files in SYS:PUBLIC aren't flagged SRO because "only Supervisor [and the three dozen equivalents] have write rights there" is seriously worrying. Do NOT trust your understanding of NW file/dir security and rights from having read the manuals--spend the time with a few PC's logged in as various users, and as Supervisor on one twiddle trsutee settings, flaggings, etc and see what you can do on the other machines. Also note that NetWare's "read-only" is not the same as DOS's--it's much stronger and has to be turned off before even Supervisor can modify a file protected with it. OK, a NetWare aware virus will have the privileges under Supervisor to do that, but the bulk of virues aren't NW-aware, so are stumped at that point. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ********************************************************************** Subject: Re: What can a virus do ? I need HELP! Please (PC) Michael Jackson wrote: > "Jim Bennett" writes: > > >My question, can a virus survive a HD reformat or does that remove it from > >the system entirely? > > Formating a HD will remove any trace of a virus. Wrong, wrong, wrong. If you are going to try to help someone, at least try to get a few things right. Someone who displays such a dangerously poor understanding as Michael does of such fundamental DOS operations as disk formatting should probably be reading along, rather than contributing. The correct answer is, "there are formats and there are formats". As Jim didn't tell us what kind of format he performed, nor what the virus was (he may have told us the virus, but I don't recall and Micahel didn't repeat it in his clipping), we cannot answer the question definitively. So, what types of formatting operations are there? DOS distinguishes between two--"low level" or "physical" formatting, and "logical" or DOS formatting. The former involves writing sector begin and end "markers" around the cylinders or tracks of the disk involved; the latter only involves writing critical DOS system areas (boot sectors, FAT, root directory) to certain parts of the disk. The DOS format command (normally) runs a program that does different things depending upon the type of the target disk. If the target is a floppy disk already apparently formatted in a way supported by this DOS version (depending upon the version of DOS and the command-line options specified) it may or may not perform a "physical" format--it always performs a "logical" format (unless there are fatal errors on the disk). However, if pointed at a hard disk, the DOS format program only ever performs a "logical" format. Physical formatting of hard disks is (usually) left to special programs supplied by the drive manufacturer and/or routines in the PC's BIOS. Further, with a hard disk, it must be prepared for DOS formatting by a program that "partitions" the disk (this allows one physical drive to hold two or more logical drives). Partitioning is often done with DOS's FDISK program, but there are several other popular utilities that can also do this. If a PC has been booted from a guaranteed "clean" floppy and DOS formatting of the hard drive is performed, everything in the DOS boot sector, FAT, root dir and "early" tracks of the partition will be overwritten (exactly what happens varies from version to version of DOS). This, however, doesn't mean that the machine is necessarily virus free--DOS's format doesn't touch the Master Boot Record, which contains the very first modifiable "program" that runs on a PC booting from a hard drive. (I'm ignoring the possibility of EEPROM BIOS'es here.) MBR infecting viruses, as a group, are probably -the- most common viruses in the world today. So, formatting a hard drive does --NOT-- necessarily "remove any trace of a virus" as Michael said. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ********************************************************************** Subject: Re: Unknown Virus?? (PC) Michael Jackson wrote: > William Becker writes: [deletia] > >At warm reboot (ctrl-alt-del) the message "I'll be back!" appears. > > A word of advice from a virus researcher who's has "released" numerous > viruses on his own computer, NEVER do a warm boot on a computer that > you suspect is infected. ... Despite my earlier harsh words for Michael, this is good advice. > ... Most of the newer viruses can survive a > warm boot. ... Most?? Really? > ... And all that you've done it cause all your start-up > programs to become infected. ... True--though if it's a fast infector that's already had a swipe at your root dir they would already be... > ... The best way is to have a write protected > floppy, turn the system off, insert the floppy, then turn the system on. > You then prevent the virus from going memory resident while you check > the system with a copy of your favorite AV program (off of a floppy) to > locate the source of the infection. Um, well, no--not necessarily. What about the EXE_Bug virus, which infects files and MBR's -and- fakes floppy boots by twiddling CMOS settings so it is always loaded from the MBR. Once it is loaded in this manner, it looks for a diskette in A:, and if successful, completes the boot sequence from A:. This quite convincingly fools most people that they have "booted clean". (EXE_Bug "fails" at this on some machines as their power-up tests don't like finding CMOS settings at odds with the actual hardware the tests find.) I'd say better general-purpose instructions are: Put your write-protected, clean boot floppy in A:. Press the Reset switch -OR- power-off for 45 seconds then power-on. Enter your BIOS (or CMOS) setup program (depending on many things you may have to press one of , , , , , , , etc, etc, within a specific time frame). [True-Blue owners may be in the poo here, as IBM machines tend to have a DOS program for changing BIOS setup options, rather than routines built into the BIOS.] Make sure that your CMOS settings indicate an A: drive (and the right type)--correct it if wrong. If your BIOS has the option, also check that the boot order is set to A: then C:--change it to this if it's not. Exit from the BIOS setup program, saving your changes on the way out and let the machine reboot. Watch closely for unusual activity, such as too many or out of order floppy and hard disk accesses, etc. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ********************************************************************** Subject: Re: Seeking info on "Filler" virus (PC) ACM0200@mtroyal.ab.ca wrote: > I am looking for any information on the "Filler" virus. It seems to > be detectable when active in memory, but never on any disk. Very > frustrating. Let us guess: You run VSAFE from the DOS 6 or Central Point Anti-Virus package and load it automatically at startup, right? And you've just run some non-MS/non-CP (same thing, actually) antivirus program that has scanned memory for active viruses, right? The "problem" is that CPAV (from which MSAV is derived) is junk. Amongst its shortcomings is that it doesn't encrypt (or otherwise "hide") its scan strings in memory, so other scanners that scan memory see them "as is". As some scanners have similar scan strings for some viruses, they will "trigger" on seeing VSAFE's scan strings in memory. If this is what's happening you have nothing to worry about--you do not have the Filler virus. If the above applies to you, simply remove the lines from CONFIG.SYS and/or AUTOEXEC.BAT that load any of the CPAV/MSAV components. If you have used the functions of this antivirus software that add check codes to your executables you should run the program you used for this with appropriate options to remove the check codes. Once you've done all this, I'd suggest that you should spend a little time reading this list (or newsgroup) and decide on a suitable antivirus strategy for your situation and the level of risk you are prepared to accept. In case you think I am being unduly pessimistic, Microsoft themselves do not use CPAV, the "parent" product of MSAV. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ********************************************************************** Subject: Re: Is it a Virus? (PC) Peter_Hoste@f0.n319.z9.virnet.bad.se (Peter Hoste) wrote: > His Harddisk was suddenly wiped clean in the middle of using a normal dos- > programm. > > the strange thing is that the harddisk-label is now: > HAHAHAHAHAHA2 > > the second strange thing is that MSDOS.SYS /IO.SYS were still on the harddisk > as the only files. Sounds distinctly like it -could- be a virus. By "wiped clean" do you mean "all files and directories deleted" or "overwritten". Two quite different things... > Also it is the second time that this happend. Once is happenstance, twice is coincidence, thrice is enemy action... > I was thinking of a virus, but McAfee & F-Prot could not find anything. Well, with all the files bar two (and two that are commonly avoided by file infectors at that!) deleted, do not think that the evidence may have been wiped out? Geeez! Anyway, back to my question above--"deleted" or "overwritten"? If deleted, you could -try- running an undelete program (or manually patch it back together!! 8-) ) and then scan again. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ********************************************************************** Subject: Do I have an infection? (PC) weissborn@dallas.geoquest.slb.com (Bill Weissborn) wrote: > I have a user who has a Compaq LTE Elite 4/50cx, running DOS 6.2 & > Windows 3.1. Recently, when he tries to start windows in complains > that it cannot load the 32-bit file driver. It says that the address of > the disk has changed. > > I ran f-prot (Sept 1994) and it says that it finds "AntiCmos.b" in the > masterboot sector and in memory. However, I cannot find anything in the > docs about this "virus"(?). So the question I have is, "Is this a false > alarm or do I really have a virus here?" Neither--you have a flase positive. You clearly have an infection of the "I forgot to turn my brain on this morning virus", though F-Prot is well known for misidentifying this as all manner of other less malignant viruses! 8-) Get with the program. F-Prot is typically held in very high regard by antivirus researchers who work for companies making competing products. It is one of the better antivirals at performing (near) exact identification -and- is very conservative in -not- attempting to disinfect if it "suspects" a new or modified form of a virus. Did you actually try the disinfection routine? Or are you accustomed to using some of Frisk's competitors products? +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ********************************************************************** Subject: Re: HELP! My PC seems to be infected. (PC) Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) > 12 Oct 94 18:20, Magnus Carstam wrote to All: > > MC> I don't know if this is anything but I've > MC> heard of a virus called cascade and > MC> a checker of IRQ has given the following > MC> results > MC> IRQ2 Cascade -> IRQ9 > MC> IRQ9 Cascade -> IRQ2. > > Could someone tell me what that Cascade means? I've just written an entry to be added to the next update of the Virus-L/comp.virus FAQ on precisely this. I include it below, but note that this may not be the finished version as the other FAQ helpers have yet to scrutinize it, criticize it, rip it to shreds and rewrite it! 8-) Possible extract from new FAQ: > My PC diagnostic utility lists "Cascade" amongst the hardware > interrupts (IRQ's). Does this mean I have the Cascade virus? > > No. This is quite normal on AT-style (286 and better) PC's (and on a > few 8086 (XT) class machines). The original IBM PC design had one > Programmable Interrupt Controller (PIC) to handle hardware interrupts > generated when devices like disk controllers, serial and parallel ports, > LAN adaptors, etc had to be serviced. While developing the AT, IBM > decided that the eight Interrupt ReQuest (IRQ) lines the original PIC > supported were probably insufficient for likely future expansion needs, > so they added a second PIC. However, the two PIC's had to cooperate, so > they both didn't interrupt the CPU concurrently. This was achieved by > having the second PIC use an IRQ to signal the first PIC that it has an > IRQ that should be serviced. IRQ's 2 and 9 were used for this and are > commonly called the "cascade" IRQ, as they allow the second PIC to > cascade an IRQ down to the first other PIC. Hope that helps. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ********************************************************************** Subject: Re: Michelangelo(?) virus bypasses bios test (PC) rargyle@cc.weber.edu (Bob Argyle) wrote: > I found one of our computers with the BIOS warning about boot sector > writes infected with what was identified as the Michelangelo virus. > Is there any possibility for a virus to defeat the warning, or is > the only explanation operator error? The CMOS switch for the test > was probably being modified (along with A:/C: boot sequence) at the > time of infection. The explanation of operator error can seldom be completely ruled out. However, it is conceivable that a virus -might- be written with "knowledge" of your specific BIOS and its special, non-standard "security" settings (boot order, MBR protection, passwords, etc) and that could bypass these by twiddling the appropriate bits/bytes in the machines CMOS. However, (assuming no operator error and that these features were correctly enabled), how could a boot virus ever get to turn these features off? (As you presumably have the machine set to try booting from C: first.) The answer to this is that either there is a new BIOS-specific virus that is multi-partite and the file infection phase turns off the BIOS protections, infects the MBR then turns the protections back on, OR the BIOS protections don't work (fully) with your machine's setup. For example, most BIOS boot order options do not work with SCSI HD's (i.e., setting C:, A: as the boot order won't prevent an A: drive boot); I'm not so sure about the MBR write-protection options. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ********************************************************************** Subject: Re: Possible WP 5.1 for DOS (PC) virus?? (PC) Leon Bekker wrote: > We have run into a problem at the time of retrieving a document, that the > letters "mx" replaces characters within the document itself. This seems to be > recurring, but does not seem to reflect consistency in what it replaces, or > even where it replaces characters. > > Also, sometimes portions of pages are deleted, which would need to be re-pasted > from a backup copy of the document! > > Has anybody come across a virus of this nature, and if so, would you mind > emailing me at the address below? Not a virus, though you may have one that is "infecting" your WP files. If so, it is probably very buggy -or- designed to ruin/destroy your WP work, as WP eventually will refuse to accept your files as WP and/or hang on trying to load them. I can think of two more likely explanations though. Have you run CHKDSK (or SCANDISK, depending on DOS version, etc) lately?? I suspect that you may have a slightly scrambled FAT and the longer you leave it unfixed the more damage will be done to your files (and probably eventually your PC won't boot!). The other possibility, if CHKDSK says all is well, is that you may simply have some WP files that have fallen to the WP file-munging bug. Whilst WP don't officially acknowledge this one, there are a some problems that WP has with keeping track of all its pointers to the various pieces of documents spread through memory and temporary disk files. It seems that occasionally it gets things wrong by a byte or two, and because of the complex interrelations between WP formatting codes, this can lead to spectaclarly mangled looking files, WP locking up on retrieving them, etc, etc. Fortunately, despite what often looks like huge chunks of text disappearing, most of this kind of damage can be undone. Look for a file called WPMD3.ZIP at your favourite anon FTP site--this is the WordPerfect Medical Doctor, the best value shareware for people with mangled WP documents. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Sun, 18 Dec 94 17:04:39 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Mainframe Viruses? (IBM VM/CMS/etc) MVillegas wrote: > Has anyone heard of an IBM mainframe virus? Do or have they > existed? > Well, I Never seen an specific virus for Mainframes; but we had here [in Argentina] some Networks attached to a mainframe simulating DOS that was hurt by Viruses. One REAL case that I known was an attack of the "Avispa" virus in a Net like described above. This virus is a little polimorphic and cause a little of trouble for disinfection. Regards Ruben Arias RALP - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 17 Dec 94 04:16:48 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Of what value is McAfee Netshld (PC) >We've recently run through an evaluation period using the McAfee Netshield NLM >on one of our files servers. Maybe I didn't have it correctly configured, so >i'm willing to cut it a break, but I can't see how it works. The current version of NetShield (1.61RC) detects viruses by scanning for virus signatures of known viruses and using CRC's to detect new or unknown viruses. Virus detection can be done periodically by scheduling a scan at a certain time, and/or in real-time by monitoring files as they are read and written to the server. The CRC portion, which you discuss below, works by examining executable files on the server, calculating a CRC value for each file, and then storing it into a log file. NetShield can then compare files against these CRC values to see if they match the information recorded in the log file. If they do not, then the original file has been modified or replaced. NetShield can then warn you that a virus infection may have occurred because a file no longer matches its CRC value. > >More Info: > In our office we have a couple of programers who are constantly tweaking >and updating pieces of code. When they recompile their programs and then load >their files up to the server, the NLM would grab them and send a message that If the newly-compiled files are different from the files on which NetShield computed a CRC value you would receive a report that the file had been changed, possibly due to a virus. NetShield would then perform a user- speficied action, such as moving the file to a containment directory. >a virus was detected. However when I would view the log file all that is >reproted was that the suspect file was moved to it's infected subdirectory. >There was no mention of what type of Virus was suspected of operating. Right. Since NetShield is not looking at a virus signature it cannot report the name of the virus it found using a CRC check. What it will do is report a CRC failure had occurred and perform any selected action (including leaving the changed file aloine). > >I suspect in our case all the program was doing is a CRC comparison check and >then throwing the changed file into the infected area. In which case the >moved file wasn't virus contaminateed at all. Most likely, yes. > >Has any one been able to get more bang for their buck using netshield to scan >servers for viruses or is there something else, we should be considering. Based on the information provided, it appears you are using NetShield's CRC checking feature in an environment where executable files are constantly changing. NetShield will identify these changes as the result of a possible virus infection and perform the action it has been configured to, which includes leaving the changed file alone. This is the how NetShield was designed and according to what you have written it appears to be working correctly. What might be a better solution for this particular LAN is to disable the CRC checking and rely instead on the virus scanning features of NetShield. Please feel free to contact me if you have any further questions. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: support@mcafee.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or ftp.mcafee.com Santa Clara, California | FaxBck(408) tba | or www.mcafee.com 95051-0963 | BBS (408) 988-4004 | CompuServe ID: 76702,1714 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Sat, 17 Dec 94 07:09:56 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: What can a virus do ? I need HELP! Please (PC) Michael Jackson wrote: >"Jim Bennett" writes: > >>My question, can a virus survive a HD reformat or does that remove it from >>the system entirely? > > Formating a HD will remove any trace of a virus. Absolutely not. Formatting a fixed disk with FORMAT.COM that comes with DOS does not affect the Master Boot Record at all. This will only remove a boot sector infector. Even fdisk/mbr will not remove MBR infectors. However, if one doesn't mind data loss, then they could delete the partitions in their partition table, repartition, and then format, and, assuming they didn't introduce a virus into the system during this process, the disk would not have an active virus on it. >>Can a virus infect the electronics of the PC for example live within BIOS or >>some other location? The PC I am using has flash BIOS which can be written >>to. I have also considered that maybe my install disks are infected thus >>doing more harm than good but I have not checked them yet. In addition, what >>is a good anti virus program to use? Any suggestions? > > Althought the virus writers have been working on viruses that reside in >the BIOS, they have found that they would be too system specific. Not all >computers use a flash BIOS, so the virus would have to travel far and >wide before it did any real infecting. > It sounds like one of your install disks are infected. This is not the >first time it has happened. My suggestions for an AV program are F-Prot >(freeware for personal use) and Thunderbyte (shareware). Either of these >can be found on a local BBS. Good luck. Hm. I don't know about your assumption with specifics. Ever heard of StarShip? We'll just start with that. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sat, 17 Dec 94 07:12:42 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Norton Anti-Virus - How good? (PC) Adam Robert Fields wrote: >The subject line says it all... How does Norton stack up against the >various scanners/cleaners available commercially or via ftp? I >recently had an outbreak of the Junkie Boot virus, and the new Norton >defs (Nov 94) were able to detect and clean it (at least it said it >did), but this attack has left me wondering. All I have to go by is >the assurance of the scanner that the virus has been wiped out. Any >opinions? It is generally a good idea to have more than anti-virus package - however, NAV is quite capable of finding and removing the Junkie virus. NAV detects and repairs just about every virus in the wild -- which means that just about any virus you are likely to actually find without looking for it will probably be detected and cleaned. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sat, 17 Dec 94 07:14:33 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Virus Lab (PC) Bill Lambdin wrote: >Zvi Netiv wrote > >> AV Lab is based on real virus like scenarios, with synthesized and >> some real, but emasculated viruses. The safety of AV Lab is in the >> incapability of its works to escape in the wild. It can be played only >> on the machine that the AV Lab operates from, and its doings cannot >> propagate from one machine to another. > >This sounds all well and good, but what is to prevent Hackers from >placing Fangs in these viruses, or adding real viruses into Virus Lab >then distributing the modified archive to other BBSs? Hehe. Yeah, really! I seem to remember this one virus, "Virus-101". It seemed to seep out. Are these "real" viruses? I suppose I should check it out for myself before I bag too hard here. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sat, 17 Dec 94 07:20:58 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Unknown Virus?? (PC) Michael Jackson wrote: >William Becker writes: > >>At warm reboot (ctrl-alt-del) the message "I'll be back!" appears. > > A word of advice from a virus researcher who's has "released" numerous >viruses on his own computer, NEVER do a warm boot on a computer that Have you published any research papers on viruses that I can obtain via the net? Is not, which journals can I find them in? >you suspect is infected. Most of the newer viruses can survive a >warm boot. And all that you've done it cause all your start-up I only know of one virus that traps int 9 to "survive" a warm boot. Probably, yes, there are more. However, "many" is a highly misleading term. I would wager no more than ten or twenty viruses do this. At most. >programs to become infected. The best way is to have a write protected >floppy, turn the system off, insert the floppy, then turn the system on. >You then prevent the virus from going memory resident while you check >the system with a copy of your favorite AV program (off of a floppy) to >locate the source of the infection. This floppy should be a system disk, and also should be known to be clean. The antivirus program should be on this disk. This helps eliminate potential mistakes, not the virus suddenly being, "triggered" and loaded into memory/activation by the scan -- unless you're using an infected AV package. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sat, 17 Dec 94 07:23:44 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: WIN.COM modification (PC) Michael Howell wrote: >In the past two days, my win.com file has been modified from 50,904 bytes to >95,036 ... The date changes at that point, as well ... When the 95K version is >executed from a DOS command line, the message "Program too big to fit in >memory" appears. This message is caused when a .COM file is executed that is larger than 65536-256 bytes is executed. >Sounds evil and virus-like, but I've run mwav, fprot, and tbav, and none have >come up with anything. Sigh. Any comments? Unless there are multiple infections, I don't know of any virus with the length increase you specify. Of the multi-infect viruses, the Jerusalem family is largest and most common; but no varients I have reinfect .COM files; only .EXE's. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sat, 17 Dec 94 07:23:46 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Seeking info on "Filler" virus (PC) wrote: >I am looking for any information on the "Filler" virus. It seems to >be detectable when active in memory, but never on any disk. Very >frustrating. This is most certainly caused by CPAV or MSAV. It is a false id. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Sat, 17 Dec 94 13:40:19 -0500 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: What can a virus do ? I need HELP! Please (PC) Michael Jackson (mrjackson@delphi.com) wrote: > "Jim Bennett" writes: > > >My question, can a virus survive a HD reformat or does that remove it from > >the system entirely? > > Formating a HD will remove any trace of a virus. Assuming that the virus was not memory resident at the time. See Joshi, e.g.i. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 35 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) XNTX PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 17 Dec 94 13:45:47 -0500 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Seeking info on "Filler" virus (PC) ACM0200@mtroyal.ab.ca wrote: > I am looking for any information on the "Filler" virus. It seems to > be detectable when active in memory, but never on any disk. Very > frustrating. > K Are you using the mem-res utils from CPAV / MSAV, and scanning memory with McAfee Scan (eg v117)? If so, you have a false alarm. Blame CPAV / MSAV for not encrypting their scan strings.. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 35 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) XNTX PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 17 Dec 94 16:19:43 -0500 From: al700@freenet.carleton.ca (Jason Gorski) Subject: Help - qemm errors virus related? (PC) Okay well having run a few bbs's and had 7 different viruses I have become very cautious. What my problem is I seem to be getting constant Qemm errors where it tells you to reboot etc. Sometimes without reason I loose some ram, my multitasking software doesn't work properly anymore and I haven't changed any of my setup. Does this sound familiar to anybody? - -- al700@freenet.carleton.ca OTTAWA! Home of the Sena.... never mind. MERRY CHRISTMAS! ------------------------------ Date: Sat, 17 Dec 94 16:21:36 -0500 From: ivarw@oslonett.no (Ivar Walseth) Subject: Problems with MS-DOS AV-programs (PC) I'm running MS-DOS 6.2 and Windows (fwg) 3.11. Autoexec.bat and the startup group launches VSAFE and MWAVTSR. I used to have the 32-bit filesystem option switched on (control-panel and 386enhanced - virutal memory) When I ran MWAV (Microsofts scanner for windows) it frequently reported that several files got their checksum changed. Since I returned to 16-bits filesystem this problem has disappeared. Have anybody else seen this problem? Are anybody able to explain whats going on (technically)? Ivar. ------------------------------ Date: Sat, 17 Dec 94 16:21:34 -0500 From: ivarw@oslonett.no (Ivar Walseth) Subject: Re: FILLER and ISRAELI BOOT (IBOOT) Viruses (PC) ACM0200@mtroyal.ab.ca wrote: > > In addition to the "Filler" virus, I have detected the "Israeli Boot" > virus on my system. The latest McAfee software will catch them both > when active in memory, but never, ever, ever on any disk. Accepting > that, I went out and bought a brand spanking new copy of the Norton > Anti-Virus, which detected a grand total of nothing at all. > > Any help out there? I've seen the same problem caused by the resident VSAFE while SCAN was running. Try to unload VSAFE (ALT-V ALT-U) before SCANning. Ivar. ------------------------------ Date: Sat, 17 Dec 94 16:46:57 -0500 From: jmayer@sinkhole.unf.edu (John Mayer) Subject: Descript.ion Virus (PC) I came across an extremely funny hidden file on my PC yesterday called descript.ion. It was a hidden file. As soon as I saw it I ran FP and McAfee products (213's) and none of them detected anything funny. Has anyone had any experience with this file before. I don't for sure what it was but it had spread to 5 different directories rather quickly. The file description on my shell was "Ha." I am not absolutely positive but I am pretty sure that I picked it up off of a program called QPEG, which I obtained from a very reputable FTP site. I have since destroyed the files and am keeping my fingers crossed. If anyone has any info. on this would you please let me know, preferably by e-mail. If you do have any info., you may also want to post it to this group. Thanks in advance !! [Moderator's note: Sounds to me like you're running 4DOS or NDOS - which use the (hidden) descript.ion file for storing file descriptions; it's actually a very useful feature, IMHO, especially with DOS's limitation on file name lengths.] - -- - ------------------------------------------------------------------------ Look Closely Internet email at jmayer@unf6.cis.unf.edu It's 3-D ______________________________________________________________________ |l internet email internet email internet email internet email internet| |mail internet email internet email internet email internet email inter| |l intjmayer@mail injmayer@email ijmayer@ email jmayer@t emailjmayer@et| |mail unf6.cis.emailunf6.cis. emaiunf6.cis.t emaunf6.cis.et emunf6.cis.| |l intunf.edumail inunf.edu mail iunf.edu email unf.edut emailunf.eduet| |mail internet email internet email internet email internet email inter| |l internet email internet email internet email internet email internet| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Sat, 17 Dec 94 21:56:36 -0500 From: DennisR@ix.netcom.com (Dennis Reinhardt) Subject: Re: A SETUP funny on boot : virus or what? (PC) ANTHONY APPLEYARD writes: > [deleted] > Sometimes in this error condition it finds >those memory sizes OK, sometimes it finds 512K base memory and no extended >memory. Any idea what is wrong? The other man in charge of this room can't >find anything wrong, although he is accustomed to seeing the insides of PC's. > > This sounds like a possible hardware error. I would suspect in order 1) the cmos battery 2) power supply 3) memory 4) just about anything. Try swapping good components to isolate. - -- - ----------------------------------------------------------- | Dennis | DennisR@ix.netcom.com | Works for me, may | | Reinhardt | | not work for you | - ----------------------------------------------------------- ------------------------------ Date: Sat, 17 Dec 94 22:35:42 -0500 From: daveyj@perth.DIALix.oz.au (John Davey) Subject: Junkie virus (PC) Hopefully someone reads this. I've picked up the junkie virus from someware, ftp I think, getting kermit.exe. Anyway, we cant seem to get rid of it, it seems to stick to com files, clean gets rid of it, but after a clean boot it seems to re-appear. Any comments? HELP! John ------------------------------ Date: Sun, 18 Dec 94 07:14:35 -0500 From: jmward@cs.UCR.EDU (jonathan ward) Subject: Re: WIN.COM modification (PC) Michael Howell wrote: >In the past two days, my win.com file has been modified from 50,904 bytes to >95,036 ... The date changes at that point, as well ... When the 95K version is >executed from a DOS command line, the message "Program too big to fit in >memory" appears. > >Sounds evil and virus-like, but I've run mwav, fprot, and tbav, and none have >come up with anything. Sigh. Any comments? This could be several possibilities. First off - WIN.COM is a "dynamic" file. Its size depends, if I rmember right, on your particular Windows configuration. It's most likely determined at installation/configuration time. That right there could explain the size discrepancy -- have you reconfigured your system any time in the near past? The "Program too big to fit in memory" could possibly be a virus. Especially if it's a memory resident variety - sometimes they screw with the DOS interrupts and memory handlers and can cause such an error. .then again, considering it's Windows, that sounds about typical. ;-) If it is a virus and none of the anti-virus products detect it, then one of two possibilities exist - 1) You don't have current versions of the AV software. In this case, you should get in touch with Symantec and get the latest copy of VIRSCAN.DAT. I believe that the January '95 update is due out any time. 2) You have a new and up until now unknown virus. In this case, get in touch with Symantec and inform them of your situation. They'll probably have you send them a copy of the supposedly infected file, and most likely will write a fix for it so that future updates to NAV will detect it. (Provided it is indeed a virus.) .now, you _did_ send in your NAV registration, right? :-) However, I honestly doubt that it is a virus. A 40+k sized virus is awfully large. It's not unheard of, of course, but I haven't seen many that get up to that size(at least as far as the actual infection size). -Jonathan Ward - -- University of California, Riverside - Dept. of Computer Science System Administrator, Distributed Systems Group Email to: jmward@cs.ucr.edu drdrums@dostoevsky.ucr.edu http://neuromancer/~drdrums ------------------------------ Date: Sun, 18 Dec 94 09:16:52 -0500 From: basenji@gate.net (RA Kowalski) Subject: confused by infection(?) (PC) i'm running a 486 dx2 50mhz with windows over doswhich i use mostly for internet work via a SLIP connx i found what i thought was my first infection about two weeks ago when my old version of thunderbyte 6.08 detected the dame virus and 75 corrupted files. the infected and corrupted files were removed. a few days ago, i then found what thunderbyte reported to be an unknown possible virus and one changed file. these were then removed also. after both reported infections, all files showed clean i just d/led the latest version of thunderbyte (6.26) and it is now showing multiple warnings for my write.exe that it contains a possible polymorphic virus. the warning codes are N,G,O and @ when i run the older version of tbyte, i get the warning codes N,V and G but does not show it as a virus None of my other A/V programs the current versions of Mcafee, both dos and windows, MSAV, ViSpy or ViScan show anything i'm almost ready to reformat my hard drives and reload from tape backup any help is appreciated TIA - -- RA Kowalski basenji@gate.net "How can one little insulated wire bring so much happiness?!" Homer Simpson ------------------------------ Date: Sun, 18 Dec 94 12:11:30 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Monkey Virus ****** Possible FIX (PC) Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) writes: >Can i conclude that there isn't an av-programm that can 'clean' >the monkey virus?? no...there are many programs that can clean it without any problems....my own F-PROT for axample and many others... - -frisk ------------------------------ Date: Sun, 18 Dec 94 12:11:42 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus Signatures needed. (PC) mrjackson@delphi.com (Michael Jackson) writes: >Randall Bollig writes: > >>Hello all, >> >>I'm working on a system security project and need about ten virus >>signatures that scanners would use to identify a potential virus. Where >>can they be found? > > Randy, > I have a registered version of ThunderByte (TBAV), and can extract >signatures. Here are the 10 signatures and the names of the viruses: Please note that putting those 10 code fragments in a file *may* cause TBAV to report the corresponding virus, although strictly speaking it is a false alarm....but it is somewhat unlikely that any other anti-virus program will trigger on them. - -frisk ------------------------------ Date: Sun, 18 Dec 94 12:11:40 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: What can a virus do ? I need HELP! Please (PC) mrjackson@delphi.com (Michael Jackson) writes: >"Jim Bennett" writes: > >>My question, can a virus survive a HD reformat or does that remove it from >>the system entirely? > > Formating a HD will remove any trace of a virus. Not necessarily. It will not kill a MBR virus, and it will not help if the virus is active while reformatting, so it can re-infect right away. - -frisk ------------------------------ Date: Sun, 18 Dec 94 21:13:10 +0000 From: tioga@cts.com (Mason Marks) Subject: CorelDraw 4.0 virus? (PC) On Dec, 14 at 7:00am my c: drive which had Corel Draw v4.0 pirate was deleted. I have heard rumors that this is corel draws fault. Anybody else hear anything or have anything happen to them related to this? ------------------------------ Date: Sun, 18 Dec 94 18:25:24 -0500 From: SHEPARDT@vaxa.cis.uwosh.edu Subject: can a virus survive a HD reformat (PC) >Date: Sat, 26 Nov 94 02:24:45 -0500 >From: Michael Jackson >Subject: Re: What can a virus do ? I need HELP! Please (PC) >"Jim Bennett" writes: >>My question, can a virus survive a HD reformat or does that remove it from >>the system entirely? > Formating a HD will remove any trace of a virus. You can perform either a low-level or a high-level format on your HD. A high-level format, which most people mean when they talk about formatting there HD, is when the operating system such as DOS or OS/2, writes the structures necessary for managing files and data on each logical drive. For DOS this would be the file allocation table (FAT), Volume Boot Sector (VBS), and the root directory. A low-level format is the real format, in which tracks and sectors are written on the HD. A HD low-level format requires a special utility which might be supplied by the disk controller manufacturer. Getting back to the question about whether a virus can survive a HD reformat or not. A virus that infects your Master Boot Sector (MBS) could survive a high-level format because this doesn't affect your MBS at all. Also any virus that is memory resident during a low or high-level format would be able to reinfect the HD as soon as the low or high-level HD format was over with, or in the case of a virus that infects your MBS right after you partition your HD. ------------------------------ Date: Sun, 18 Dec 94 20:57:07 -0500 From: basenji@gate.net (RA Kowalski) Subject: RE:confused by infection(?) (PC) i think i may have found the root of my problem. i discovered that i had a second copy of write.exe in the windows/system directory this was the infected file. windows directory write.exe is not infected i am still interested in any thoughts thx again i'm running a 486 dx2 50mhz with windows over doswhich i use mostly for internet work via a SLIP connx i found what i thought was my first infection about two weeks ago... - -- RA Kowalski basenji@gate.net "How can one little insulated wire bring so much happiness?!" Homer Simpson ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 104] ******************************************