VIRUS-L Digest Tuesday, 6 Apr 1993 Volume 6 : Issue 57 Today's Topics: Ides of March Virus Conference Interested in research by Dr. Cohen Integrity checking (was: scanners) Scanners getting bigger and slower Wank virus on VAX/VMS (VAX/VMS) Uruguay on PS/2 ref disk (PC) Vir-Sig (PC) Re: Can I Get Infected If (PC) CLEAN Recovery? (PC) Catch from DIR? (PC) Unknown little virus? (PC) Re: April Viruses? (PC) Windows 3.1 Virus ?? (PC) Re: WordPerfect File growth etc. (PC) Help with Michelangelo! (PC) Re: Virsig (PC) Can a virus damage McAfee? (PC) gerbil.doc virus (PC) Re: Can I Get Infected If... (PC) Re: Catch from DIR? (PC) fixutil5.zip (PC) New file on risc / site listing (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Sun, 04 Apr 93 14:44:45 -0400 >From: Richard W. Lefkon Subject: Ides of March Virus Conference I've read Buford Buckeye's entertaining April Fool's spoof of the Ides of March conference, which appeared on Virus-L. Buford does have some valid points concerning what isn't the only conference specializing in malware but is certainly the oldest, best known, least costly to attend, largest - and most complex. For 1993 we spent a considerable amount of money on an outside management group to get what Buford calls "confusion" under control. To euphemize, the result did not live up to aspirations. As some know, the way the conference is run is being reorganized from the ground up. This process is not yet finished. When it is, the overall plan for March 1994 in New York will be made available to interested parties. In the meanwhile, nobody is going to claim "next year better" from here on because not all the major changes are yet complete. Even when they are, it will probably be more meaningful for you to draw your own conclusions based on what is put forth, rather than take my or anybody else's word on it. Those desiring to be kept posted on progress toward bettering the 1994 "7th," should e-mail a postal address to jsb@well.sf.ca.us. Thanks for taking the time to read this. - - Dick Lefkon, 1993 Program Chair 212-663-2315 ------------------------------ Date: Sun, 04 Apr 93 21:56:46 +0000 >From: s9106568@sandcastle.cosc.brocku.ca (PAUL NOLL) Subject: Interested in research by Dr. Cohen Hello, I am a university student doing research on computer viruses. I have already gotten information on DOS viruses, so much that it is up to my ears. I am now interested in viruses on different platforms especially MVS, VMS, and UNIX. I know that Dr. Cohen did some interesting work at the University of Southern California, where he proved that a UNIX viruses could give people root premission within a 1/2 half hour. I am very interested in the work Dr. Cohen has done on viruses. I would be interested in talking to him, any body that happens to read this and can help me please e-mail me the informatino at s9106568@sandcastle.cosc.brocku.ca. If you do read this Dr. Cohen please contact me. The idea of viruses and system security interest me greatly. Thank you in advance. - -- Be Seeing You. ############################################################### " We live on a placid island of ignorance, in the midst of black seas of infinity, and it was not meant that we should voyage far ... ! " -- H. P. Lovecraft (1890 - 1937) Paul Noll s9106568@sandcastle.cosc.BrockU.ca ############################################################### ------------------------------ Date: Wed, 31 Mar 93 08:50:00 +0100 >From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Integrity checking (was: scanners) Y. Radai Writes: >> infection, correct me if I'm missing anything). > You certainly are missing things, for example companion viruses and > "fragmentation" viruses. Well, since I came here more to learn than to teach (which I doubt I'll ever do), I would sincerely appreciate it if you could more elaborate. I've been out of the virus world for too long, working on other projects my boss assigned, leaving the virus fighting untouched. > If you're not familiar with the concepts of companion viruses and > slow viruses, I suggest you take a look at questions B8 and B6 of the > FAQ sheet before you reply. Where to I acquire the FAQ sheet? [Moderator's note: The FAQ is posted monthly to comp.virus, and is available by anonymous FTP from cert.org, and many others.] > P.S. Inbar, just as you correctly pointed out to someone that he > should mention the person to whom he is replying, I think you should > pay attention to the Subject line. This discussion long ago ceased to > be about "scanners". I Apologize, I simply replied. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210) ------------------------------ Date: Wed, 31 Mar 93 08:55:01 +0100 >From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Scanners getting bigger and slower frisk@complex.is (Fridrik Skulason) writes: >>The whole point of having more than one scanner, is that there is a >>considerable amount of viruses which are considered rare, or extinct, whose >>chances of infecting you are unreal. > Unreal ? Well, the problem is that almost all "extinct" or "research only" > viruses are generally available on the virus exchange BBSes - so somebody > could download one of them and spread it. I see your point. However, the way I see it, when we're discussing protection of BIG companies, as opposed to the protection of private people, the chances of someone downloading a virus from a board in order to deliberately upload it, are much smaller, if existant at all. If a company is wise enough to enfore a prohibition of disk exchange, and capable of doing it, then the networks/modem connection are the only way to get infected, and assuming those links are reliable links with reliable sources, this reduces the chance even further. > As I have said before - the number of viruses should not affect the speed > significantly - memory shortage is a problem, however - in 5 years a virus > scanner might require more than 640K of memory to run....but so what ? > I think it is reasonable to expect "everybody" to have more memory than > that in 5 years.. I see your point. Well, I don't think I have the slightest idea about what 5 years from now will look for, in whatever concerns virus techniqes, virus availability and degree of common, and so on. This is is a fast business... Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210) ------------------------------ Date: 04 Apr 93 23:39:53 +0000 >From: rre900@barcelona.anu.edu.au (Rob Ewin) Subject: Wank virus on VAX/VMS (VAX/VMS) A colleague in Spain who does not have a Usenet connection (but does have e-mail) asks for information about a virus called "wank" on VAX/VMS systems. Could anyone who knows about this virus please mail him direct at: xmorago@imim.es thanks Rob Ewin, Unix Systems Support e-mail: Rob.Ewin@anu.edu.au Computer Services Centre, ANU phone: +61 6 249 4216 Canberra ACT 0200, AUSTRALIA fax: +61 6 249 3425 ------------------------------ Date: 28 Mar 93 11:01:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Uruguay on PS/2 ref disk (PC) >From Kari Laine to All About Uruguay on PS/2 ref disk on 03-26-93 .bill.lambdin@frenchc.eskimo.com KL| There is something funny F-Prot has given false alarms on several KL| different files about Uruguay-virus and when I tried whether it will KL| really find the Uruguay-virus - it didn't find not at least the sampl KL| I have - funny. Kari: This is a known bug in F-Prot 2.06. You should upgrade to the 2.07 revision. Bill - --- * WinQwk 2.0 a#383 * 1554 activates Oct 1 - Dec 31 ------------------------------ Date: 28 Mar 93 11:09:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Vir-Sig (PC) >From Demetre Koumanakos to All About Vir-Sig (PC) on 03-26-93 .bill.lambdin@frenchc.eskimo.com DK| It has been now more than 2 months since I was able to find DK| a new Vir-Sig file for TBAV from any of the known sources The latest revision of Vsig that I have seen was 9301 Yjey have added a lot of signatures to the new January release. I don't have FTP access, but I downloaded VSIG9301.ZIP from French Connection BBS in Seattle, Wa. (206) 771-1730. Bill - --- * WinQwk 2.0 a#383 * CHRISTMAS TREE activates Dec 24 - Jan 1 ------------------------------ Date: 28 Mar 93 11:32:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Re: Can I Get Infected If (PC) >From An-ly Yao to All About Re: Can I Get Infected If on 03-27-93 .bill.lambdin@frenchc.eskimo.com AY| Y o u won't get infected! (Sorry for the weak joke...) AY| But if your PC used a COMMAND.COM on that disk for the DIR, and if th AY| COMMAND.COM was infected, than now perhaps also your PC might be infe I believe he was requesting information on boot sector infectors. The method you described, is a file infector. Almost everyone has a hard drive, and the command.com would not be executed. Bill - --- * WinQwk 2.0 a#383 * Leading Edge sent 500 computers with Michaelangelo ------------------------------ Date: 28 Mar 93 11:41:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: CLEAN Recovery? (PC) >From Chris Antkow to All About CLEAN Recovery? (PC) on 03-27-93 .bill.lambdin@frenchc.eskimo.com CA| Their system was an old 8086 with a 30mb HD running DOS v3.1 (Yeah! CA| OLD!). Stoned was nestled in the partition table... CLEAN did a great CA| job getting rid of Stoned in the partition table, but it also did a CA| great job of getting rid of the partition table... It sounds like you had a stoned variant. I believe Stoned stores the original data on track 0, Side 0, sector 7. Clean expects the original data to be stored in the location above. If the data isn't in the correct location, a corrupted partition table results. CA| PS: I'm really embarassed about asking about this seeing as how I've CA| only started reading Internet conferences for the last 4 months, but CA| what does IMHO stand for... (Geez don't I feel small...) IMHO is an acronym that stands for "In My Humble opinion". Bill - --- * WinQwk 2.0 a#383 * Hacked version of Telegard TG29EALP.* ------------------------------ Date: 28 Mar 93 11:19:00 +0000 >From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Catch from DIR? (PC) >From Terry Lundgren to All About Catch from DIR? (PC) on 03-26-93 .bill.lambdin@frenchc.eskimo.com TL| I have received some excellent replies to my posting on catching TL| a virus. Basically the question is this: Assume my system is TL| clean and I have an infected disk. I put the disk in the drive TL| and do a DIR. Then I take the disk out. Can my system be TL| infected now? I have also heard people claim that accessing a diskette with a boot sector virus will infect the hard drive. I performed the following test with three boot sector viruses. Chinese Fish No-Int Stoned B Listed directory of infected diskette. Listed directory on the hard drive. Scanned the hard drive. Scan reported the virus in memory re-booted the computer Scanned the hard drive, and Scan reported that the hard drive was clean. So I can say with some assurance. The Boot sector of the floppy is read into memory, but not activated. None of the three viruses spread to the hard drive. Hope this helped. Bill - --- * WinQwk 2.0 a#383 * FLASH activates after Jun 1990 ------------------------------ Date: 04 Apr 93 08:09:17 -0500 >From: motreba@mat.torun.edu.pl (Maciej Otreba) Subject: Unknown little virus? (PC) Hi, Last time I had virus in my PC. It came from Internet probably with one from shareware games. The problem is that teh virus was not detected by any program. I tried to find it by Scan 100, F-Prot 2.07 and Polish AV program MkSVir (available at FUNET with on-line translator). This virus caused General Protection Fault in Windows 3.1 in krnl386.exe when running Write, Paintbrush, MS Word 2.0 and System Editor. It was probably very small. I think it took 32 bytes of base memory (difference between memory with and without virus). I throw it out by formatting HD and setting up system again. My question is: has anyone heard/seen anything about this virus? Is there any signature? Which programs in Internet might be infected? Thanks for attention, Maciej Otreba - -- ___________________________________________________ | / | | Maciej Otreba / E-MAIL: | |------------------------/--------------------------| | 87-116 Torun, POLAND / otreba@pltumk11.bitnet | | Dzialowskiego 4/4 / motreba@mat.torun.edu.pl | | phone +48-56-485645 / motreba@cc.torun.edu.pl | |____________________/______________________________| ------------------------------ Date: Sun, 04 Apr 93 09:30:24 -0400 >From: Mikael Larsson Subject: Re: April Viruses? (PC) > From: mechalas@expert.cc.purdue.edu (John Mechalas) mechalas@expert.cc.purdue.edu (John Mechalas) writes: > Does anyone have, or know where I can find, a listing of viruses that > trigger in April? And the other months? I remember someone posting the > list of March viruses, and it would be nice to have the rest of the months > layed out as well.... Hello John, Yes, I know.. there is a Hypertext Database available, with the name VSUMX3nn.ZIP (where nn is number of month).. Try downloading VSUMX303.ZIP or get it via FTP. You can find it via ftp from mcafee.com (I think). and by modem you can find it at VFR Systems (219) 273-2431. That listing contains info about all know viruses, activation dates, origin countries etc.. it's quite good. > Cheers, > John Regards, MiL - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone: +46-26 275740 Email: mikael@vhc.se Box 7018 Fax: +46-26 275720 or : mikael@abacus.hgs.se S-811 07 Sandviken BBS #1: +46-26 275710 Fido : 2:205/204 & 2:205/234 Sweden BBS #2: +46-26 275715 Authorized McAfee Agent! ------------------------------ Date: Sun, 04 Apr 93 14:39:06 +0000 >From: etxcred@ufsa.ericsson.se (Christer Edlund) Subject: Windows 3.1 Virus ?? (PC) My father in law just called me at my office, complaining about Windows menu-fonts getting gobbled up after some 30 minutes of playing PGA Tour (Golf ?) ... . Other application-fonts are also impossible to read. He looked around in directorys and found files (in all of them) that kept showing up after deletion. Their names are like: apbaaial, apbaaibb, apbocndm, apbocnec .... All of them 0 bytes. Well, the symtoms may be poorly described, but I hope someone can help me. Meantime I will try out "VirusCheck 3.0". regards, Christer ------------------------------ Date: Sun, 04 Apr 93 15:05:59 +0000 >From: scls_ss@uhura.cc.rochester.edu (Eric Scoles) Subject: Re: WordPerfect File growth etc. (PC) At risk of stretching this out more, just one more chime on the WP "virus". This text-file growth thing is absolutely "normal" (though annoying as all hell). Anyone who wants to know how to fix this & prevent it can mail me. In <0006.9303301139.AA22546@first.org> dhartung@chinet.chi.il.us (Dan Hartung) writes: >>seborg@first.org (Brian Seborg) writes: << deleted >> >There are problems related to abnormal exits from WP5.1 -- I haven't seen >"huge files" but we do occasionally get situations where a user is >locked out of their own SET file by Novell Netware. This would be due to Netware preventing WP's temp file from being deleted, probably. I've had the same problem with a security program we use here. >But the file-growth >problem (of about 2K each time) is different. WP seems to be making >multiple copies of the header information for fonts, printers, styles, >and so on. (If you look at the file with DISKEDIT or the like this >can easily be seen.) Actually, that file growth -- perfectly "normal", as you say -- can sometimes be in the range of 20-60K at a pop, for a one-page file. It's not a bug so much as a design flaw -- i.e., it's obviously _meant_ to work that way, but they didn't think through the logical consequences of that design in practice. >It only seems to happen to certain files under certain situations. It is most obvious when using Styles and large discreet printer driver files. But it also happens whenver you use the COPY or MOVE commands, though not as obviously. It >is a WordPerfect "behavior", however, and no virus causes it. >- -- >The Presidential Towers complex here | Dan Hartung | Ask me >in Chicago is bounded by four streets: | dhartung@chinet.chi.il.us | about >Jefferson, Adams, Monroe ..... | Birch Grove Software | Rotaract! > and Clinton! - -- Eric Scoles : <> University of Rochester --------: - --------------------------------------------------------------------- ------------------------------ Date: Thu, 01 Apr 93 10:51:01 +0100 >From: Malte.Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Help with Michelangelo! (PC) Hi Michal! [Michelangelo] > memory). He owerwrite first 255 tracks of Hard-disk 0 completly > (all sectors on all heads). Other voices say Mikey just kills head 0 to 3 of tracks 0-255. Who is right? cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Thu, 01 Apr 93 07:37:21 +0000 >From: v922340@kemp.si.hhs.nl (Snaaijer) Subject: Re: Virsig (PC) demetre@phaethon.intranet.gr (Demetre Koumanakos) writes: |> It has been a couple of months now that I haven't been able to |> find a new Virsig file for TBAV. |> Does anyone know what the story is ? Frans Velman is workin on a new version of TBSCAN that has a new kind of signature file, this file is procompiled, so there is a smaller chance of tampering, the signature file is also entypoint aware and includes the *.avr files (so you only will need three files in your dir.) The New signature file will be updated at least every month and will be called tbsigxyy.zip x stands for the Least Significant digit of the year and yy stand for the followup number. the first signature file will thus be called TBSIG301.ZIP. there are more things about the new version, I can send a Beta versoion to Everybody who wants it, If there is enoug reply, i can send it to garbo. Hope you know enoug now. Ivar. E-mail : v922340@si.hhs.nl ... i can't help it, i'm born this way ... - ----------------------------------------------------------------------------- ------------------------------ Date: 05 Apr 93 08:14:37 -0400 >From: jmkerrig@vela.acs.oakland.edu (KERRIGAN JOHN M) Subject: Can a virus damage McAfee? (PC) I believe I may have contracted a boot sector virus on my PC. Upon rebooting from a clean disk and using the latest McAfee virus scanner, I received the message that my copy of the virus scanner had been damaged. This is a recent development since I had used the scanner last week with no problems. I also received this message when I tried to scan from (what I assume was) a copy protected disk. Any help would be appreciated. - -- - ------------------------------------------------------------------------------- ** John Kerrigan a.k.a. jmkerrig@vela.acs.oakland.edu ** - ------------------------------------------------------------------------------- ------------------------------ Date: Mon, 05 Apr 93 06:23:54 +0000 >From: colcloug%helios.usq.edu.au@zeus.usq.edu.au (Steven Colclough) Subject: gerbil.doc virus (PC) anyone come across this one? The gerbil.doc virus? takes a text file, turns it into rubbish and at the top it says gerbil.doc. weird, eh? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Steven Colclough colcloug@zeus.usq.edu.au Department of Information Systems Uni of Southern Queensland Toowoomba Terra Australis "There's a part of me that will never be free, and the part that's free will never be me" The Church ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Mon, 05 Apr 93 15:02:14 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Can I Get Infected If... (PC) anlyyao@igc.apc.org (An-Ly Yao) writes: > But if your PC used a COMMAND.COM on that disk for the DIR, and if the > COMMAND.COM was infected, than now perhaps also your PC might be infected. DIR is an internal command and is executed by the currently loaded command interpreter. It DOES NOT require reloading of the command interpreter. Thus, even if the command interpreter on the floppy is infected, it WILL NOT be loaded (and executed) if you do a DIR on that floppy. Therefore, you CANNOT get infected this way. Regarding the original question - can you get infected if you do a DIR on a (possible infected) floppy. In order to get infected, you must execute some viral code. Therefore, the question is equivalent to whether you can execute some code by executing the DIR command on a floppy. The only way I could figure you can make the DIR command execute something, is to have some sort of ANSI escape sequence in the file names that appear in the directory listing. The volume label offers the most space for that (11 characters), but even it is not sufficient for a good and unnoticeable ANSI bomb. The most I could achieve was to make DIR cause the re-programming of a single key to produce a single character when pressed. This seems insufficient for ANSI bombs to me... Anyway, it is very easy to close this security hole. The options are: 1) Don't load ANSI.SYS. 2) Use a different, less brain-damaged ANSI driver, which allows you to disable keyboard reprogramming (e.g., NANSI). 3) Patch ANSI.SYS to change the keyboard reprogramming character to something else. 4) Use the TSR program PKSFANSI to disable the keyboard reprogramming. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 05 Apr 93 15:15:00 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Catch from DIR? (PC) Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) writes: > But DOS may fool you in a way that you _think_ you became infected: With the > DIR A: or DIR B: command, DOS loads the bootsector of the disk into a buffer. > If you scan the memory after such an action, a scanner may find the virus in > the DOS buffer - but this copy is not active, as it's never referenced and > will not be just by chance :-). This phenomenon is called a "glost virus". More exactly, it is called a "ghost false positive". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sun, 04 Apr 93 07:52:29 -0400 >From: HAYES@urvax.urich.edu Subject: fixutil5.zip (PC) Hello. just received from Padgett Peterson the newest version of his FIXUTIL suite of programs. The file is now available for FTP processing from us as FIXUTIL5.ZIP. Thanks Padgett! - ---- FIXUTIL5.NEW file --- FixUtilities copyright (C) 1989-1993 by Padgett - all rights reserved. FixUtil5 is the April 1993 revision of the FixUtils. WHAT'S NEW The major change is that the FixUtils are now all FREEWARE. For the Lawyers: A limited license is hereby granted such that anyone may use these copyrighted programs (see list below) without any charge of any kind so long as they are not altered nor are any deposited programs or code fragments altered in any way. Specifically, copyright notices and logos must display anytime a program or deposited code fragment executes. Distribution must include this notice. Weasel-Words: There are no warranties either granted or implied for fitness of any kind, use of these programs is entirely at the risk of the user. Major Changes FixMBR now generates automatically a copy of the original MBR with a user designated name of up to 7 characters. This .DAT file should be stored in a safe place off-line. When changed to a .COM file and executed, the original MBR will be restored. On machines having BIOS selection of the boot disk, users may now select booting only from the C: drive for additional protection from viruses. If the CTRL key is held down during the boot, SafeMBR, following integrity checking of the hard disk MBR will transfer the boot process to drive A: to allow booting from floppy for maintenance purposes. Other a) For those wishing a special corporate logo to display (e.g. "XYZ Corp. For Authorized Use Only") or suppression of the floppy boot option, this can be provided for a one-time-fee. b) Gifts cheerfully accepted. (POBox 1203, Windermere, FL, USA, 34786) Note: This distribution consists of thirteen files: FixUtil5.new - Changes since FixUtil3 FixMBR28.doc - Documentation/Mini Tutorial for FixMBR FixFBR1A.doc - Documentation for FIX floppy boot records FixMBR.exe - 2,395 bytes - the MBR repair/save program FixFBR.exe - 2,189 bytes - repair boot sectors of floppies ChkSMBR.exe - 555 bytes - the DOS SafeMBR check program NoFBoot.doc - documentation NoFBoot.com - 368 bytes - simple floppy boot protection Chk.doc - Documentation for ChkMEM, ChkBoot, & ChkCMOS ChkCMOS.exe - 1,195 bytes - Checks CMOS for IBM-AT type values ChkMEM.com - 1,584 bytes - memory usage program ChkBoot.exe - 1,357 bytes - checks for suspicious boot sectors (floppy & hard disks) FixUtil5.val - Validation numbers for McAfee's Validate - ------------- Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Mon, 05 Apr 93 09:09:37 -0400 >From: James Ford Subject: New file on risc / site listing (PC) The file vsig9303.zip has been placed on risc.ua.edu for anonymous ftp in the directory /pub/ibm-antivirus. (risc.ua.edu = 130.160.4.7) Below is a listing of files available on risc via anonymous FTP. I have been away on spring break the past week and feel sure that there are probably some updates I have missed. If you notice an outdated file, please let me know. If you know where I can ftp an update from, I would appreciate you dropping me a line. - -- jf - -------------------------------------------------------------------------- 0files.9304 ds115.zip secur235.zip virlab15.zip 20a10.zip fixutil3.zip sentry02.zip virpres.zip Valert-l.readme fp-207.zip stealth.zip virsimul.zip Virus-l.faq fshld15.zip tbav504.zip virstop.zip Virus-l.readme fsp_184.zip tbavx503.zip virusck.zip aavirus.zip hack1192.zip trapdisk.zip virusgrd.zip allmsg.zip hs32.zip unvir902.zip virx26d.zip asig9301.zip htscan19.zip uxencode.pas vkill10.zip avs_e224.zip i-m141.zip v-faq.zip vshell10.zip bbug.zip innoc5.zip vacbrain.zip vshld102.zip bootid.zip killmonk.zip vaccine.zip vsig9303.zip catchm18.zip m-disk.zip vaccinea.zip vstop54.zip ccc91.zip msg_9_12.zip validat3.zip vsumx301.zip chk.zip mtetests.zip validate.crc vtac48.zip chkint.zip netsc102.zip vc300ega.zip vtec30a.zip clean102.zip nshld111.zip vc300lte.zip wcv201.zip cvc792am.zip ocln102.zip vcheck11.zip wp-hdisk.zip cvc792ma.zip onet102.zip vchk23b.zip wscan102.zip cvc792ms.zip oscn102.zip vcopy82.zip ztec61b.zip cvcindex.zip pkz110eu.exe vdetect.zip dir2clr.zip scanv102.zip vds210t.zip ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 57] *****************************************