VIRUS-L Digest Wednesday, 26 Jan 1994 Volume 7 : Issue 7 Today's Topics: re: AI and Anti-viral studies "Good Viruses?" and other stuff AI techniques for anti-viruses "Good Viruses?" What is a virus ? Request for Virus Information Re: Something that looks like a new idea for an antivirus virus NETWARE Virus? (Novell) NetWare virus info (Novell) What happened to SHI (Amiga) Re: "Barrote" Virus alert ... (PC) Re: Rael virus (PC) Potential trojan found (PC) Re: Form virus (PC) Re: Rael virus (PC) Reviews/opinions of Norman's ARMOUR? (PC) Re: Need info on "RIPPER" virus. (PC) Good IBM software (PC) Re: Can't load NETSHLD 1.56 (can't find IsColorMonitor) (PC) Re: Telcom PT2 (PC) Re: HELP with virus !!! (PC) re: Help in removing Monkey virus from hard disk (PC) Re: What Scanner is the Best (PC) McAfee Scan V111 Problems (PC) Re: What Scanner is the Best (PC) Re: F-PROT Professional v 2.10 (PC) Fprot or McAfee (PC) Re: Help with Little red virus (PC) Re: MicroSoft Anti-Virus question (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 19 Jan 94 11:06:40 -0500 From: "David M. Chess" Subject: re: AI and Anti-viral studies >From: hendee@ocean.dnet.nasa.gov (Jim Hendee) > Is anybody really using AI techniques in their antivirus >software engineering? It would seem that a rule-based system would be a >good one for engineering a good antivirus product ... The primary use of AI is in ad copy: "...a sophisticated rule-based system...". Of course, all of the rules are of the form "if the file contains the binary string xxxxx, report virus vvvvv"! *8) While various AI-related fields are very interesting, and some have at least superficial links to viruses and virus prevention, IMHO very few techniques that really deserve the "AI" label are developed enough to have practical impact on the field. Heuristic detectors are of course rule-based in some sense (as is every computer program), but they are seldom or never implemented in the separate-rules-from-rule-engine style that marks (attempts at) AI; this is because, as you point out, that style is slow. Genetic algorithms sound like they should have something to do with viruses, but in fact the link is tenuous and occasional: in real life, viruses mutate very seldom, and almost never in interesting ways. Aside from the obvious observation that some modifications are better than others, I don't see a lot of relevance, certainly not to Holland-syle GA. We've done studies based on epidemiological models of disease spread; these models may also be relevant to artifical-life studies, but the relationship is at one remove. And so on. Some techniques from the field of AI (various search methods, heuristic techniques in general, and so on) are useful as parts of an anti-virus research strategy, but none (IMHO) has a really strong practical connection, despite initial impressions. If you can think of some concrete way that some AI technique (or any other technique!) might be useful in (anti-)virus research, do post it here! (And, of course, be prepared to ignore a number of knee-jerk negative comments; this is the Net after all, hehe.) - - -- - David M. Chess | * Undecidable Signature ?Virus * High Integrity Computing Lab | Copy me to your .sig iff you don't IBM Watson Research | think I'm a signature virus ------------------------------ Date: Fri, 21 Jan 94 09:11:51 -0500 From: Brian Seborg Subject: "Good Viruses?" and other stuff First, let me answer a few questions quickly: PC Cyborg is a hacker who has broken the copy protection of many programs. Seeing this message on any game you have run does not necessarily imply a virus, but it does likely imply that you are bootlegging software and depriving someone of the income it takes to keep them in business writing game software. If you use it, pay for it. Also, invest in a scanner! Second, the FORM virus infects the DOS boot sector of hard drives and the boot sector of diskettes. This virus is quickly becomming one of the more popular viruses replacing Stoned as one of the most widely reported viruses. To cure, reboot from a write-protected floppy that has the same version of the operating system as the one on your infected hard drive, then run SYS C:. This will replace the infected boot sector where the FORM virus has infected and will kill the virus. Now, into the fire... Ktark writes that he is unconvinced that all viruses are inherently bad. Well, try reading my other posting! Okay, I concede that viruses in a lab that is isolated from the world were I am conducting research into viruses and artificial life may not be bad because I want them there. But, I think we are talking about viruses in the wild. Viruses in the wild are inherently bad. (I checked the dictionary meaning of 'inherent' :-)) To state otherwise would be to deny reality. As we have stated before, anything that can be done with a virus, can be done with a non-virus program (or I should say, anything useful). In my opinion, Cohen is essentially stating a research hypothesis when he talks about useful viruses. Research into this is not inherently bad, but Cohen, I'm sure, is conducting this research in a lab environment. Research for research sake can lead to new knowledge, but as we all know, is unlikely to produce a commercially viable product! :-) Let's put it this way, I challenge anyone to put forth (even conceptually) a virus that would be considered "good" in that it would be beneficial for it to be released in the wild. The compression virus that Cohen postulates, is not something that we desire, compression is being done perfectly well by other methods. Cohen is just putting this out to stimulate thought. I can't believe that he actually thinks for one minute that he will actually be producing and releasing into the wild, good viruses. There is no such thing. If there was, then we would be ready to just allow them to infect our systems right? Ktark, there is one saying that I think fits here "Wake up and smell the coffee!" To postulate that there is a good virus is to postulate that you know better than anyone else what is good for their systems. Would you advocate releasing "good" viruses into the world? Have you ever heard of version control? Configuration management? System integrity? I would not discourage you from looking for the "holy grail" of useful viruses in a lab environment, but don't flaunt your ignorance by stating that there is such a thing as a good virus in the wild. If you want to get into a philosophical discussion and get into proofs by contradiction etc. that is useful for the parties and 2:00 a.m. conversation but has no application to reality. Perhaps you ought to ask Cohen if he would really be willing to release one of his "good" viruses into the wild? Even as a commercial product? I would imagine that he would admit that research in the lab will likely be as far as he will ever go. You remember that people did once think the world was flat, that's because their view was limited. I think the view that there are good viruses only applies to labwork. No such thing exists in the wild. Period. Brian Seborg VDS Advanced Research Group ------------------------------ Date: Fri, 21 Jan 94 10:19:15 -0500 From: Brian Seborg Subject: AI techniques for anti-viruses Jim Hendee asked a question about AI techniques and anti-viruses, it is likely the case that all anti-viruses (or most anyway) use some AI techniques in order to detect viruses. Many uses heuristics, and in fact, this is the only way to detect polymorphic viruses. So, to an extent, AI is already in use. As far as using neural networks for virus detection, I have done some research in this area. So as not to bore you with the details, I will simply state the problems I discovered that have to be overcome if this technique is ever to bear any fruit: 1) Static code disassemblies are often useless in ascertaining the true function of a virus. Many viruses have encrypted code or self-modifying code that does not show itself in other than a dynamic/trace disassembly. To perform this will take some time, and a virtual machine that will not be subject to virus armouring against disassembly. 2) Is there anything inherently different between virus code and normal code? If the answer is no, then neural networks will not be able to distinguish between the two. 3) How do you get a neural network to distinguish between code and data? 4) What n-tuples will you feed into the neural network? If you are off by even a single instruction, your whole interpretation of the code can be different. 5) If you can create a neural network (most likely back-propogation), can you even get convergence for viral and non-viral code samples? 6) This techinique likely involves the following: choose a random sample out of the virus population (stratified random sample would be best to ensure that the code in the sample was representative of the population). Also, do the same for non-virus programs. Use them to train a neural network (assuming you can get convergence). Then use the neural network to test the rest of your viruses and non-viruses. Does it catch them? What are the type 1 and type 2 error rates? Are they acceptable (some would say that only 100% detection and 0% false positives would be acceptable)? I would say that if you could come close, this would be interesting, but no one is likely to take notice unless you can do at least as well as conventional techniques. I am not trying to discourage research in this area. I only wanted to state some of the problems that have to be surmounted before it can be even moderately feasible to use neural networks for the detection of viruses. I think that someone may eventually be able to come up with solutions to the problems I have raised. It was beyond my nominal understanding of neural networks to do this and perhaps that was the major limiting factor. :-) Brian Seborg VDS Advanced Research Group ------------------------------ Date: Tue, 25 Jan 94 14:56:10 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: "Good Viruses?" From: ktark@src4src.linet.org >Let us add some more world perspective to this: >You have an economical and personal interest in making all computer viruses >appear as evil incarnate, you make a living out of this premise, whether >you like it or not. >Let us hear from someone who has no stakes in this matter.. (deleted my original opening lines, were too emotional) I have a personal interest in making viruses obsolete so that I do not have to deal with them any longer. I do not have an "economical" interest (did once - spent *lots* more money than I made - now all of my software is FreeWare). Ever wonder why AI and Expert Systems are not found in aircraft flight controls ? Because it *must* be exactly the same in the field as it is in the lab. PCs crash a lot. We accept that. The crash that would result from a loss of the digital flight control system in an F-16 is liable to make a lot more noise. The simple fact is that we have trouble predicting how a stable system w ill operate under every possible condition without adding the instability a virus would cause. The example of a computer that has no contact with the outside reminds me of the SPACKLE cure - effective but the computer is useless. This is the effect of the pro-virus arguments I've seen so far - at best a virus has no social value and it goes negative from there. Further, *every* use I have seen postulated for a virus does not require a virus to accomplish. Certainly, I have seen some innovative programming techniques used in viruses *but never in what made the virus a virus* - that part is trivial, well documented, and boooooooring. Invariably, it is the evasion and "stealth" that I find interesting. The fact is that most of the virus code I've seen lately has been remarkably bad and carelessly written. Take the SBug - it can't even add right (and that's something that computers are really good at) when it goes resident. True, it has a complex mutating mechanism but that just makes repair difficult, not detection. Kind of like cutting the end of a bullet to ensure maiming and not just a recoverable wound. Wanton destruction. Vandalism. Zip guns and pipe bombs. Personally, virus writers remind me of a litter of puppies, investigating everything without really understanding it. Eventually they grow up if they stay out of real danger but meanwhile someone else has to clean up their messes. Enough, Padgett ------------------------------ Date: Tue, 25 Jan 94 10:21:11 -0500 From: Simon Callan (on GN57 at Borehamwood) Subject: What is a virus ? I recenly came across this in a document that describes viruses that run on the Acorn Archimdes computer. It is part of the description of a not-uncommon virus. Is there anyone out there who thinks that this is a valid reason for not calling it a virus? And if so, what is it? This is not a virus as such, due to the fact no actual harm is down to your discs. It is merely a desktop 'silly' hat is capable of replicating amongst any application NOT already having a !Boot file. Simon ================================================================================ Simon Callan Janet : Simon.Callan@uk.co.gpt GPT Data Systems Internet : Simon.Callan@gpt.co.uk Elstree Way Borehamwood Herts, WD6 1RX The above opinions are mine, all mine, and you CAN'T have them. ================================================================================ ------------------------------ Date: Tue, 25 Jan 94 14:34:54 -0500 From: ALLENTAYLOR@delphi.com Subject: Request for Virus Information > Date: Mon, 10 Jan 94 08:19:43 -0500 > From: tom_katt@spirea.gih.no (Tom Katt) > Subject: Request for help about Viruses (PC) > We are group of students who are going to make simulation program > and therefore needs information about viruses: > -what damage they do > -the visual effects on display > -what happends when the viruses is active > -the category the viruses are placed in > -if there are some good simulation programs available on internet > can get ideas/hints from. > Ellen, Ove R. and Dag R. The following files may be of assistance to you in your study of computer viruses. They are available via anonymous FTP or if FTP is not available to you, send your mailing [post] address to allentaylor.delphi.com and I will mail the diskettes to you via conventional surface mail. File Name Description Source - ------------- ---------------------- ---------------------------- VIRSIM2C.ZIP Virus Simulator FTP 192.187.128.1 VIRPRES2.ZIP Virus Presentation FTP 192.187.128.1 VSUMX312.ZIP Virus Information FTP 192.187.128.1 FP_210C.ZIP Virus Scanner/Info FTP OAK.OAKLAND.EDU FAQ.TXT Frequently Asked Questions FTP 192.88.209.5 Best Wishes, - ---------------------------------------------------------------------------- | Allen G. Taylor | allentaylor.delphi.com | | Computer Virus Research Center | ** CVRC BBS ** | | Indianapolis, Indiana, USA | Specializing in Anti-Virus Software | - ---------------------------------------------------------------------------- ------------------------------ Date: Tue, 25 Jan 94 16:15:56 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Something that looks like a new idea for an antivirus virus wrote: > The system would not only identify the virus and repair files that have been >modified, but also send a message to every other computer on the network to >tell them how to destroy the virus. You should take a look at a product that has been out for awhile -- The Norton AntiVirus 3.0, for networks. It does something similar already. >the telltale pattern of bytes it inserts in any file that it modifies in the >infected computer - and add that to antiviral programs' "wanted lists". White >says that cirrent programs recognise about 2000 viruses. > But this is too slow a process for the world that White envisages. So the >HICL is creating a system that will identlfy viruses, not by comparing their >code to a reference library, but by watching them at work. > A typical virus seeks out data files that are frequently accessed or This concept is called Integrity checking. Several products are currently available which do this. >files for any sign of tampering, and then begin to create "decoy files" which >are repeatedly accessed (but not altered) to make them attractive to a virus. >If a decoy file grows longer, the system has both caught the virus at work and >its signature. This is not totally true; How would DIR-II be handled in this case? What about other memory resident stealth viruses? There must be some form of memory identification. If not, as a more secure system, there could be a boot from a floppy forced before the execution of the program will run. But, even then, who's to say a disk isn't infectde already? - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science Dept., University of California, Riverside. "The best angle to use on a problem is the try-angle. If that doesn't work, try the wrecked-angle..." ------------------------------ Date: Mon, 24 Jan 94 09:32:54 -0500 From: "David M. Chess" Subject: NETWARE Virus? (Novell) > From: hitcmap@nebula.syscon.hii.com > Can someone please point me to a FAQ on Netware fileserve viruses? I > have not heard of a virus that actually destroys a Netware volume, or > ABENDS the server. There are no known viruses that run on the Netware operating system itself (that's the operating system that the server itself runs). The known viruses work under the OS's that the server's clients are using; if there's some combination of client operations that can destroy a volume or abend the server, a client virus could conceivably do that. But I don't know of any virus currently active "in the wild" that intentionally does any damage to a Netware server that it finds itself running on a client of. There are various anti-virus NLMs out there; see for instance a review in PC Week, December 27, 1993 (scattered about on pages 71-82 or so). IBM AntiVirus includes an NLM starting with version 1.04. (It's one of the ones included in that review.) - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Mon, 24 Jan 94 09:45:28 -0500 From: KIDAJ.TRANSCOM@transcom.safb.af.mil (KIDA JOHN H) Subject: NetWare virus info (Novell) I also request infomation several months ago without any luck on FAQ on NOVELL-VIRUS and protection. While I got a alot of "if you get info please send..." I was never able to locate any hard info. IF anyone is thinking of writing a BOOK and looking for a subject here it is. I'll buy the book.. ------------------------------ Date: Tue, 25 Jan 94 03:01:59 -0500 From: kohli@iam.unibe.ch (Reto Kohli) Subject: What happened to SHI (Amiga) Hi Everyone ! Anyone recently heard of Safe Hex International ? I would greatly appreciate getting an internet address to contact them, if they still exist. Please email, I will summarize if necessary. Reto - ----------------------------------------------------------------------- This is NOT a footer ------------------------------ Date: Wed, 19 Jan 94 11:06:46 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: "Barrote" Virus alert ... (PC) pete@secyt.secyt.gov.AR (Jorge Amodio) writes: > This virus have appeared at spanish and argentinian scientific > bases in the antartic continent. Which made the virus problem truly global, I guess :-) > - Executable files are incremented by 1300 bytes. Exactly 1300 ? There are six different variants of the Barrotes virus known, one 1303 byte long, and five 1310 byte ones. If it is exactly 1300 bytes long, it must be a new variant, and you should send a sample to one or more of the better-known virus researchers. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Wed, 19 Jan 94 10:53:37 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Rael virus (PC) gmuslera@chasque.apc.org (Gustavo Muslera) writes: >Someone out there know something about the "Rael" virus? It's >reported by TBAV 6.09, but not by F-Prot 2.10c or Scan 109... Right...I got a copy of this virus just a short time ago. I haven't analysed it in detail, just a minimal analysis to allow F-PROT to detect/disinfect it. It is 3211 bytes, appends itself to .COM files and overwrites the first 3 bytes with a jump to the virus code. I think I added detection/disinfection of it in 2.10f, but internally we are up to 2.10h - all those minor versions are not released officially, as that would mean a new version every week, and (I guess) significant confusion. The latest OFFICIAL version is 2.10c, but we can send a copy of a later version to anybody who has a problem with this virus (or any of the other 200 or so new viruses we have added since 2.10c). - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Fri, 21 Jan 94 01:32:55 -0500 From: owenh@spacebbs.com (Owen Hawkins) Subject: Potential trojan found (PC) FROM: Owen Hawkins - Sysop - Space BBS, Menlo Park CA (415) 323-4193 (BBS) Internet: owenh@spacebbs.com ************ TROJAN ALERT **************************** Two users reported that a program named MKDEMO wiped out all of their files in the root directory. Program purports to be a demo of a new game. Subsequent viewing of the EXE with a hex editor confirms same in that filenames such as command.com, config.sys, etc were found as well as "Gotcha" messages. The following is the CRC values using PKUNZIP 2.04 Searching ZIP: MKDEMO.ZIP - Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- -------- ---- ---- 7264 DeflatN 4169 43% 01-15-94 16:00 6aa2408f --w- MKDEMO.EXE 2629981 DeflatN 1041388 61% 01-12-94 17:02 3e785170 --w- MKDEMO.DAT ------ ------ --- ------- 2637245 1045557 61% 2 If you are using FWKCS: Copy the two lines directly below to a file named XCSLIST.DEL 3E785170 28215DxMKDEMO.DAT MKDEMO.ZIP 6AA2408F 1C60xMKDEMO.EXE MKDEMO.ZIP then run the command: FWKCS /t20u XCSLIST.DEL ------------------------------ Date: Thu, 20 Jan 94 23:36:01 -0500 From: SNATHAN@delphi.com Subject: Re: Form virus (PC) As I understand it, the Form virus infects command.com and the boot s your disk when you boot the machine with an infected disk in the floppy drive. The only way to fix it is to boot from a write protected "clean" floppy and either reinstall the system or use a disinfectant program such as NORTON ANTI-VIRUS. Hope that helps. Steve Nathan ------------------------------ Date: Thu, 20 Jan 94 21:27:35 +0300 From: eugene Subject: Re: Rael virus (PC) > Someone out there know something about the "Rael" virus? It's Rael-3211 --------- It's a dangerous memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself at the end of COM-files (excluding COMMAND.COM) are executed or opened. It hits the files on searching also (DOS functions FindFirst/Next ASCII), this virus contains the text strings c:\dos\sys.com c:\dos\dosshell.com c:\dos\format.com c:\dos\keyb.com and hits these files on execution of infected file. In depending of system timer this virus infects the files by trojan program which erases disk sectors on execution. On 14th of every month it deletes the files after infection, and starting from 12:00 it displays the message: *** ** *** * * * * * * * *** **** *** * * * * * * * * * * * *** **** IMPERIAL AEROSOL KID V 01/NOV/93 por RAEL Where '*' is B2h ASCII. This virus contains the internal text strings also: com COMMAND command RAEL-IMPERIAL AEROSOL KID VIRUS III -Buenos Aires-Argentina- ...Rael, Imperial Aerosol Kid-exits in the daylight, spraygun head... - SaTaNiC BRaIn B.B.S. 383-7480 Las 24 Horas - > The virus is detected with newer versions of another antivirus (I ear > something about scan 110, f-prot 2.10f, and AVP 1.07b)? How i can get AVP 1.07c detects/disinfects it. Regards, Eugene - --- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9949 ------------------------------ Date: Thu, 20 Jan 94 20:43:26 -0500 From: Richard Hosker Subject: Reviews/opinions of Norman's ARMOUR? (PC) Norman Data Defense's ARMOUR was recently recommended to me as a "good antiviral package". I'd be interested in objective comments and informed opinions, pro or con, regarding ARMOUR, and any pointers to published reviews of the package. How does ARMOUR stack up against, say, F-PROT or the McAfee suite for variety of virii recognized and removed, scanning speed, frequency of update releases, ease of use by non-expert users, general reliability of disinfection routines, lack of false positives, etc.? Please reply by email; I'll summarize responses in a few weeks. Thanks in advance... ============================================================================== Richard Hosker : ttttttttt rph0470@gemini.tntech.edu : t u t u Tennessee Technological University rph0470@tntech.bitnet : t u t u Cookeville, TN Box 6083, Cookeville, TN 38505 : t uuuuu ============================================================================== #include ------------------------------ Date: Mon, 24 Jan 94 09:25:47 -0500 From: "David M. Chess" Subject: Re: Need info on "RIPPER" virus. (PC) >Don't know much about how Ripper works, but it does infect >format.com and unformat.com. To check a PC is clean, we system >format a floppy and see if Ripper appears on it. No, actually Ripper is purely a boot-sector infector; it doesn't infect any files at all (see Roger Riordan's very nice description in VIRUS-L 7/5). If the Ripper is active in memory and you use a non-write-protected diskette in basically any way (including formatting it), the virus will infect the diskette. It's not that format.com is infected, it's that the virus is active in memory and infecting any diskette that format.com (or anything else!) is pointed at. - - -- - David M. Chess | "I been ionized, High Integrity Computing Lab | but I'm OK now." IBM Watson Research | - Buckaroo Bonzai ------------------------------ Date: Mon, 24 Jan 94 10:21:29 -0500 From: smithc@minerva.cis.yale.edu (Christopher L Smith) Subject: Good IBM software (PC) With some of my work I need a good software platform for IBM that I can move from machine to machine. I need to be able to detect and curer viruses, but the users of the different machines do not necessarily have hard disk space available to install something on. Any advice would be appreciated. - -- Christopher L. Smith Yale Divinity School SUNY at Stony Brook (Applied Mathematics) New Haven, CT Stony Brook, NY smithc@minerva.cis.yale.edu smithc@ams.sunysb.edu Also at: CHRISTOPHER_L_SMITH.parti%pcusa01@uunet.UU.NET ------------------------------ Date: Mon, 24 Jan 94 19:28:58 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Can't load NETSHLD 1.56 (can't find IsColorMonitor) (PC) Hello Mr. Maylaender, You write: >I can't load the NETSHLD module (Ver 1.56/ McAfee). >I know it is the right version for Novell NetWare v3.11 >and i loaded SPXFIX2.NLM bevore NETSHLD.NLM. >So, this is the way i tried to load NETSHLD.NLM: > >load SYS:SYSTEM/ANTIVIR/NETSHLD load > >This is the reaction: > >Loading module NETSHLD.NLM > NETSHIELD > Version 1.56 December1, 1993 >Loader cannot find public symbol: IsColorMonitor >Load file referenced undefined public variable. >Module NETSHLD.NLM NOT loaded > >How can i solve this problem ? The "Loader cannot find..." error message is an error message from NETShield saying that it is trying to use a function from your Novell C Runtime Library (CLIB.NLM) that is not available in the version of CLIB.NLM running on your server. This can be fixed by installing Revision D of CLIB.NLM for Novell NetWare v3.11, which is dated December, 1992. You can download a copy from NetWire (Novell's forums on CompuServe) or your local Novell dealer should have the file. It is also available from the mcafee.com anonymous ftp site in the pub/antivirus directory as 311LIB.EXE (it is a self-extracting file). Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Mon, 24 Jan 94 18:41:41 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Telcom PT2 (PC) Alan Reed wrote: >I have a user's PC that runs under DOS 6 and when CPAV is run this claims >to find Telecom PT2 just after the memory scan and before the scan of files. >On trying to remove this virus CPAV says 'disk error' and does not remove the >virus. F-prot 2.10 does not detect any virus at all even when the system is >booted from a clean DOS6 bootable disk. CPAV still thinks Telecom PT2 is >present but I cannot infect a floppy disk. Has anyone else seen this effect >and can advise me? Are you using any other antivirus programs at the same time as CPAV? More likely than not, this is justa false positive. CPAV is pretty well known for not being compatible with other AV products, and this sounds a lot like a false id to me. Try to boot from that same disk, but don't execute a config.sys or autoexec.bat with anything more than a files=20 and maybe a prompt $p$g, respectively... Rescan the system with CPAV and see if it goes away. - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science Dept., University of California, Riverside. "The best angle to use on a problem is the try-angle. If that doesn't work, try the wrecked-angle..." ------------------------------ Date: Mon, 24 Jan 94 18:38:12 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: HELP with virus !!! (PC) Son Nguyen wrote: >Help! I think we have a virus. Here's the haps: > >before locking the pc, we get the following message on the >screen: "((cc)) CCooppyyrriigghhtt 11998844,, 1199877 AAwwaarrdd >SSooffttwwaarree IInncc.. AAllll RRiigghhttss RReesseerrvveedd*". >Then the hard disk led stays on and the hard drive partition >is completely lost. I've tried scanning with Mcafee's, >Norton's, PCTools' and none of them found a virus. A message like the one you keyed in can often be found in memory around f000:0000, from your bios. It's quite odd that would be printed out, and I don't know of any virus that would print that. You should try to boot from a known noninfected write protected floppy and then scan your drive. Also, you might want to make sure your CMOS parameters for your drive are correct (if you have an AT). If you left the computer on for a few moments with the hard drive light on, did anything happen? Maybe a message like, "hard disk controller failure" or something similar? To me, it sounds like a non-virus related problem, maybe even hardware (It's probably an old system judging by the copyright date) - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science Dept., University of California, Riverside. "The best angle to use on a problem is the try-angle. If that doesn't work, try the wrecked-angle..." ------------------------------ Date: 24 Jan 94 21:53:01 +0000 From: virusbtn@vax.oxford.ac.uk Subject: re: Help in removing Monkey virus from hard disk (PC) Dear All, Maybe I have missed the thread somewhere here, but in case I have not, here are some step-by-step instructions for removing viruses like Monkey. Forgive any technical screw-ups, but I'm working from home, (unsupported by a safety net here folks!). Problem: If I boot from the hard drive, the hard disk appears to be okay, but I have a MBS virus in memory. If I boot from the floppy disk, DOS cannot see the hard drive. If I use FDISK /MBR, I screw up my disk. Answer: Let's consider what the virus is doing here. The virus replaces the entire contents of the MBS with virus code, moving the original MBS elsewhere on the disk. This means that if I boot from a floppy disk, the partition information which DOS needs to 'see' drive C: is not there. This means that DOS cannot find a DOS partition, and therefore wont read the hard drive. FDISK /MBR won't work in such circumstances, because it works by replacing the executable code in the MBS, without changing any of the partition information. Thus, the virus is removed, but the partition information is screwed up. No virus, but no hard disk either. Sigh. However, when the virus is active, DOS can access the hard drive. Why? Because the virus uses stealth techniques to swap in the original contents of the MBS, giving DOS access to the partition information which it needs. This gives us the clue of how to disinfect the disk. I should point out that this is a last resort. 1. Make certain that the virus is not about to trigger - not too difficult if you know what virus you have. 2. Boot from the hard drive. From this point onwards, the virus will be memory resident. 3. Use any disk utility (eg Norton - is there any other? :-) to read in the contents of the 1st physical sector on the disk. This should end with a 55AA if it is the original DOS MBS. Save this sector as a file onto a floppy disk. Please note that this floppy disk will become infected in the process. 4. Turn off the PC. 5. Boot from a clean, write-protected disk. 6. The DOS partition of the hard drive will now no longer be visible *but* the hard drive can still be got at on a sector by sector basis. Use your favourite disk editor to copy the contents of the file created in step 3 into the first sector of the drive. 7. Hold your breath. Reboot the machine from the hard drive. The virus should now be gone. (cue Tada.wav)... and the hard drive will be accessible. For all MBS viruses encountered which cannot be disinfected with FDISK /MBR, this technique should work HOWEVER if you lose all your data doing this I don't want to be responsible. If you need more help on Boot Sector virus disinfection, Email me, or better yet, post your question. Hope this helps, Dicky Ford Editor, Virus Bulletin. ------------------------------ Date: Tue, 25 Jan 94 06:13:39 -0500 From: Martin_blas Perez Pinilla Subject: Re: What Scanner is the Best (PC) > What is the best virus scanner/ remover available? I have DOS 6.2 and Do you want start a flame war? :-) > Microsoft Anti-Virus but how can this be good if it is not updated? I Is bad with or without update. > have used McAffee's SCAN.EXE and CLEAN.EXE and they seem to work well. I > am looking for cheap software that runs quickly but will be very effective. F-PROT is very cheap (=<$1 for machine and free for individual use in your home) and very good. Try it! Too, you can use a integrity checker. Regards, - -mb M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: Tue, 25 Jan 94 15:02:23 +0000 From: msc@austin.ibm.com (Mike Charrier) Subject: McAfee Scan V111 Problems (PC) I recently obtained McAfee's Scan (version 111) for my home machines. It ran fine the first time I used it, but the second time I ran it I recieved the message: EMM386: Protection fault at 42BC:1DFE Press any key to abort program... Utilities showed that my machine is in perfect health. I'm running on a CompuAdd 325TX with 2 megs RAM and a 80 meg HD. Anyone heard of anyproblems with version 111? Thanks - --------------------------------------------------------------------------- Michael Charrier | Internet: msc@austin.ibm.com | Post Simsvum Sequitur Lead RS/6000 Tech | VM ID: MSC@AUSVM6 | Septuna Luna Subset - --------------------------------------------------------------------------- All comments are the ravings of a lunatic mind and not the opinions of IBM. - --------------------------------------------------------------------------- ------------------------------ Date: Tue, 25 Jan 94 12:04:03 -0500 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: What Scanner is the Best (PC) hexx@telerama.lm.com (Don Pellegrino) writes: >What is the best virus scanner/ remover available? I recommend F-Prot. Works well and doesn't cause false positives like CPAV and MSAV will. > I have DOS 6.2 and >Microsoft Anti-Virus but how can this be good if it is not updated? MSAV isn't very good even when it is updated. > I >have used McAffee's SCAN.EXE and CLEAN.EXE and they seem to work well. I >am looking for cheap software that runs quickly but will be very effective. Try out F-Prot. Highly recommended. - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. "Quit while you're ahead. All the best gamblers do." Baltasar Gracian ------------------------------ Date: Tue, 25 Jan 94 15:09:43 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-PROT Professional v 2.10 (PC) CHIP@bdso.CV.COM (Chip Seymour) writes: > C:\F-PROT\VIRSTOP.EXE VIRSTOP error. "VIRSTOP error" means that Virstop for some strange reason cannot locate itself. This only happens if you use the /DISK switch....when another program is run, Virstop tries to read the search strings from itself into memory, but fails. This might happen if the drive letter assignments are changed after Virstop is loaded, but apart from that suggestion I really have no idea what might be causing this on that particular machine.. - -frisk ------------------------------ Date: Tue, 25 Jan 94 15:18:23 -0500 From: jlj@cs1.bradley.edu (Joel Johnson) Subject: Fprot or McAfee (PC) I'd like to get some input on which is better Fprot or McAfee. Does it really matter which one we use in a university. Fprot is much cheaper with their site licenses. Are they very close in quality? Thanks JLJ@CS1.BRADLEY.EDU F - -- jlj@cs1.bradley.edu or jlj@camelot.bradley.edu ------------------------------ Date: Tue, 25 Jan 94 15:20:15 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Help with Little red virus (PC) vganti@nmt.edu (venkata ganti) writes: >hi netters, > i have a problem with " little red " virus . I have an f-prot >anti-virus program which is not able to disinfect it. Can any of you >please send me any ftp sites, where i can get a new version of the >f-prot Sorry...This is one of the few viruses that f-prot is not able to disinfect, although it detects it without problems. As it is "in the wild", I'll give it higher priority - I'll try to put disinfection of it into 2.11...but that version is scheduled for release in a few days. - -frisk ------------------------------ Date: Tue, 25 Jan 94 15:28:43 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: MicroSoft Anti-Virus question (PC) bancroft@minotr.enet.dec.com writes: >Is there some flaw which makes MSAV easily defeated? I would not want >the details published, I am sure the virus writers value VIRUS-L data >as much as I do, I just need to be warned if there are major flaws. The virus writers know all about this...the details have been published in their magazines a long time ago. Basically this involves an INT call, which tells the TSR to quietly disable itself, or even to remove itself from memory. Note that this has of course no effect on the scanner part. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 7] ****************************************