VIRUS-L Digest Friday, 8 Apr 1994 Volume 7 : Issue 24 Today's Topics: New Mac Virus Announcement -- Please circulate (Mac) How big a threat are Books? Hubris, intent and viruses Heuristics The truth about good viruses Harmless Viruses Re: protection from virus in college labs Re: VIRUS-L Digest V7 #21... Various Topics Help OS/2 Viruses (OS/2) V2P6 ?? (PC) Savannah & Jeremy Viruses ???? (PC) Re: Questions about Wildlist (PC) Re: New viruses (PC) Re: Compatibility: F-prot 211 and Nav 3.0 (PC) Monkey Curiosity (PC) Re: Clean 111 & Mich. (PC) qpeg hack/virus (PC) Generic MBD virus in partition table (PC) Re: Thoughts on FORM infections...(PC) Re: MS-DOS 6.x Anti-Virus (PC) UW-EauClaire Virus Info Needed (PC) Help getting rid of the boot437[genb] virus (PC) Stealth (PC) packed file is currupt ?? is it a VIRUS? (PC) Re: Is speed really important? (PC) Anti-virus? (PC) Re: Help! Monkey (PC) Joshi.a (PC) NOVADEMO.EXE (PC) Michaelangelo (PC) tbav612/tbavu612/tbavx612.zip - Thunderbyte anti-virus v6.12 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 02 Apr 94 11:48:03 -0500 From: spaf@cs.purdue.edu Subject: New Mac Virus Announcement -- Please circulate (Mac) New Macintosh Virus Discovered (INIT-29-B) 2 April 1994 Virus: INIT-29-B Damage: Alters applications, system files, and documents. May cause unexpected program failures or system crashes. Spread: few reported cases yet, but might have spread widely. Systems affected: All Apple Macintosh computers, all systems. The INIT-29 virus first appeared in late 1988. We do not know much about its origin. A variant of the INIT-29 virus has recently been discovered at a West Coast US site. Its behavior is similar to that of the original INIT-29 virus. Both strains of INIT-29 spread quickly and widely. INIT-29 viruses will alter and infect almost every kind of file, including document (data) files; infected document files do not spread the INIT-29 virus, however. All versions of INIT-29 will infect both applications and systems files, and will spread from those files. An application on an infected computer may itself become infected even if it is not launched or executed. INIT-29 viruses may reveal themselves when a locked floppy disk is inserted in the disk drive. An infected Mac will display the alert: The disk "xxxxx" needs minor repairs. Do you want to repair it? Previous experience with the original INIT-29 virus indicates that the INIT-29-B version may cause printing problems and unexpected crashes. Some applications may fail to run correctly. Damage may occur as a result of the file and application modifications. According to feedback from the publishers and authors of the major anti-viral software programs, information about possibly needed upgrades to known, actively supported Mac anti-virus products is as follows: Tool: Central Point Anti-Virus Status: Commercial software Revision to be released: 3.0d Where to find: Compuserve, America Online, sumex-aim.stanford.edu, Central Point BBS, (503) 690-6650 When available: now Comments: New 'MacSig' antidote file available - dated 4/2/94. Tool: Disinfectant Status: Free software (courtesy of Northwestern University and John Norstad) Revision to be released: 3.5 When available: now Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac Tool: Gatekeeper Status: Free software (courtesy of Chris Johnson) Revision to be released: 1.3.1 When available: last released version (1.3) is effective; no update needed Where to find: usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac Comments: revision 1.3.1 (responding to INIT-9403) remains pending; release date is currently not available. It is recommended that you use the latest version of Disinfectant INIT together with the latest released version of GateKeeper; this will provide satisfactory protection. Tool: Rival Status: Commercial software Revision to be released: N/A When available: now. Where to find it: America Online: RIVAL, AppleLink: TESTNONE, Compuserve: 73112,2144, Internet: miserey@laguna.ics.uci.edu Comments: The current version of Rival detects and removes INIT-29-B Tool: SAM (Virus Clinic and Intercept) Status: Commercial software Revision to be released: 3.5.12 When available: now Where to find: CompuServe, America Online, Applelink, Symantec's Customer Service @ 800-441-7234 Comments: Updates to various versions of SAM to detect and remove INIT-29-B are available from the above sources. Tool: Virex Status: Commercial software Revision to be released: 5.03 Where to find: Datawatch Corporation (919) 549-0711 When available: now Comments: Virex 5.03 will detect the INIT29-B in any file, and repair any file that has not been permanently damaged. All Virex Protection Service members will automatically be sent an update on diskette. All other registered users will receive a notice by mail. Datawatch's BBS number is: (919) 549-0042. UDV Code for INIT29-B Guide Number = 15753664 1: 0302 3000 1276 0000 / 57 2: A9F0 303C A997 A146 / 9D 3: 2028 FFFC 8180 9090 / 4C Tool: VirusDetective Status: Shareware Revision to be released: N/A When available: now Where to find: various Mac archives Comments: VirusDetective is shareware. The current version (5.0.11) identifies INIT-29-B. If you discover what you believe to be a virus on your Macintosh system, please report it to the vendor/author of your anti-virus software package for analysis. Such reports make early, informed warnings like this one possible for the rest of the Mac community. If you are otherwise unsure of who to contact, you may send e-mail to spaf@cs.purdue.edu as an initial point of contact. Also, be aware that writing and releasing computer viruses is more than a rude and damaging act of vandalism -- it is also a violation of many state and Federal laws in the US, and illegal in several other countries. If you have information concerning the author of this or any other computer virus, please contact any of the anti-virus providers listed above. Several Mac virus authors have been apprehended thanks to the efforts of the Mac user community, and some have received criminal convictions for their actions. This is yet one more way to help protect your computers. ------------------------------ Date: Sun, 27 Mar 94 19:48:25 -0500 From: rjryba@major.cs.mtu.edu (Russell J. Ryba) Subject: How big a threat are Books? Hello All, I just saw an add for the "Little Black Book of Computer Viruses". It is supposed to teach you how to create your own computer viruses. Are books like this a threat? Or is it a good idea to let people know how they work, so they can protect themselves better? I think I read somwhere that TIMID was listed in this book. Either in an article, or Virus info list somewhere. So, what do you think? Post replies please. - Russ Ryba ------------------------------ Date: Mon, 28 Mar 94 12:32:22 -0500 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Hubris, intent and viruses >Hubris aside, I'm surprised that an audience of such a demonstrably >high level of intelligence has yet to cut through the fog to the >**CENTRAL QUESTION** of the debate, i.e.: > >*********************************************************************** >WHAT IS THE **INTENT** INVOLVED IN EACH INSTANCE?? >*********************************************************************** Would God that it were so simple. In fact, since the virus writer has so little control, his intent is irrelevant. It is, at best, simply an excuse for reckless behavior. While the virus writer can predict how his program will behave in an execution environment, he cannot predict how it will behave in a population. He cannot even know enough about the population or its uses to begin to predict that behavior or its consequences. Therefore, regardless of the intent of the author, regardless of how well he implements that intent, once the first copy is out of his hands, he has lost control. It is an act of hubris to believe otherwise; hubris cannot be set aside. William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Mon, 28 Mar 94 12:42:40 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Heuristics Istvan Szucs (iszucs@stwing.resnet.upenn.edu) writes: > University of Pennsylvania. I am currently working on a project, to > implement an intelligent virus detector program on the PC. (By > intelligence I mean capable of learning by example, using heuristics Several people said "It won't work" and in general I agree. However I firmly believe that in my particular specialty - low-level or Master Boot Record and DOS Boot Record infectors it can simply because these two functions a relatively simple. Of the two, DOS boot records are *much* more diverse (have identified five common classes with over 60 variants - - some non-booting) but there are still a number of things that a virus *must* do that a regular boot record doesn't and that is detectable. Secondly, both MBR amd DBR are limited to 512 bytes each and have functions that must be done. For several years I have made available as FreeWare the program CHKBOOT (and the companion FixFBR or Fix Floppy Boot Record) that operate purely on heuristics and believe I am closing on detection of all known low-level viruses purely heuristically. In fact the major problem is avoiding false positives on some off-brand pre-1985 boot sectors (two actually). For DOS *programs*, the sheer size and diversity makes this very difficult so at present I agree with Vesselin that heuristics are not a good choice, viruses are just too much like some programs. However for my little part of the world, heuristics are what enable my programs (particularly DS II which uses a 304 byte TSR) to be so small. CHKBOOT is only 2k. FixFBR is larger because it carries a complete set of replacement (non-booting) boot records for all four common floppies with "oops" detection built in. Warmly, Padgett ps The reason DS II will not co-exist with COHERANT is that CO uses a self- modifying MBR (or did, haven't looked at it for a while). Did develop a means to handle such things as well as how to make DS II compatable with the various flavors of UNIX some time ago but never got around to adding it to the program since I do not need UNIX personally (negative free time). LABEL (DOS 5+) tries to change the serial number of the disk in the DBR for some unknown reason and DS II does not allow changes to the boot record. However, since I return the proper error code for write protection, DOS simply creates an old-style zero byte LABEL file & is happy so I am not concerned about it. ------------------------------ Date: Mon, 28 Mar 94 16:19:55 -0500 From: Subject: The truth about good viruses The truth about good viruses: Typical security pundit comment - -------------------------------- The truth about this subject ---------------------------- There ain't no such thing as a good virus (because) they all cause damage under some circumstances The same is true for any program - what does being a virus have to do with it? - Nothing I've never met a virus I liked Bigotry was never a good excuse before, why use it as one now. Anyone who claims to like viruses is trying to justify their past. It takes one to know one. What did you do wrong that makes you feel so guilty? Did you know that many of us virus writers did good things with our viruses? You too can feel good about youself if you will only apply these talents to the benefit of others All viruses are bad because they go where they are not authorized to go, overwriting data, or at least using othrewise available space and time. The definition of virus does not imply spreading without authority or overwriting other data. If using otherwise unused space or time is inherently bad, then all programs are inherently bad, not just viruses, because all programs use time and space that would not otherwise be used. I await your further attempts at demonstrating that all viruses are bad. Please just continue to rave into Virus-L, and I will respond with a similar dismissal of new ravings in another few months. FC P.S. Whoever has been taking the heat for supporting the concept of good viruses - I commend you. Sorry I haven't been more supportive, but I have been busy finishing a book on good viruses. Please send me some E-mail so we can gang up on these miscreants who can't tell the difference between morality and mathematics. - FC ------------------------------ Date: Mon, 28 Mar 94 17:33:20 -0500 From: WOLF@vaxb.acs.unt.edu Subject: Harmless Viruses In reply to padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) >>"Michaelangelo mentality" aside, viruses and their mentally deficient >>"intelligence-challenged" creators will be with us until the Constitution >>is changed to allow impaling, or hanging/drawing & quartering. >Never happen. The first would be considered "littering", the second "cruelty >to animals" (the horses, not the virus writers). Michaelangelo is hardly a good virus to judge all virus writers from. For one thing, it is destructive. It is also a minor variant of Stoned, and a poorly coded one at that. Generalizations are a bad thing to make. It would be like saying "all anti-virus authors are only it it for the money" from the example that Ross Greenberg said the following: "I discovered there was gold in them thar hills. Bought me a nice place in upstate NY. I called it "Virus Acres". 76 acres." It just simply isn't true. Some AV'ers are in it for the money, and some, like yourself from what I've seen, are in it to genuinely help people in a way they think is best. >I have said before and will say again "there ain't no such thing as a >harmless virus" (TANSTAAHV - pronounced tahn-stahv). Consided two oft >mentioned STONED and MICHELANGELO (well - on any day except March 6th). I doubt anyone would say Michelangelo is a harmless virus. It obviously has the destructive code written into it by some malign person (that was not an original or talented programmer anyway - everything is ripped out of the Stoned virus, including its flaws). Stoned might be merely annoying except that is was not written to be upwards compatible - therefore it destroys data. However, with other examples such as the KOH and Cruncher 2.1 (notice the version number, very important) I doubt you could find such flaws. There are some situations that each will cause incompatibilities, such as any software, BUT because they do ask for user permission for their actions, I can not see them as being harmful. In point of fact, each of them can be benificial. KOH encrypts your hard drive and floppies (should you request it to) with a user specified password. It also includes an uninstall routine. Cruncher asks user permission to add itself to a file and compress it, using itself as the compression/decompression code. As each of these asks for user permission, and are free of harmful code at least to the point that CHKDSK.EXE is, I see them as being harmless or even good. I am not defending the writers that write destructive code, merely pointing out that some virus writers (such as some members of TridenT and Mark Ludwig in the examples above) are writing good, useful, user friendly programs and deserve a second look regarding the "virus writer" mentality. >Also there are other combinations that should be avoided such as Jerusalem >and Novell 3.11 print redirectors. Like drugs, many viruses have combinational >effects that are best heard about happening on the other side of the country >and not at home. Jerusalem was poorly coded and not in the least harmless anyway. To discuss harmless viruses, stick to the ones that self-respecting researchers will term that way (or at least stick to the ones that have no "intentionally damaging" code). My two examples from above ARE in this category. If it is up to the user to make the decisions on whether a virus spreads or not, and nothing is being hidden from the user, then it is not inherently bad. If it is useful, then I cannot see a logical argument to establish that the virus is evil. Just the fact that a program modifies code, or even replicates itself while doing so, is not wrong. Regards, Michael A. Ellison wolf@jove.acs.unt.edu ------------------------------ Date: Wed, 30 Mar 94 10:08:40 -0500 From: dcleek@csd4.csd.uwm.edu (Dick Cleek) Subject: Re: protection from virus in college labs jorvis@madonna.ec.usf.edu (Juliann Orvis): > I teach at a community college campus that has 80 computers connected > through Banyan Vines as well as each station being used as intel term. > We have been having a terrible time keeping our stations "clean" even though Our lab sounds similar to yours. We use FPROT and are very happy with it. It won't stop a machine from being infected but it will prevent an infected machine from booting and spreading the virus. Once we get an infection, we REALLY make students check their disks as they enter the lab and we usually find the culprit within two days. - -- ........ ......................... ....................... : |_|\/\/ : Dick Cleek dcleek@csd4.csd.uwm.edu :.centers.: Univ.of Wisconsin Centers dcleek@uwcmail.uwc.edu ------------------------------ Date: Wed, 30 Mar 94 14:40:27 -0500 From: PHIL@mash.colorado.edu Subject: Re: VIRUS-L Digest V7 #21... Various Topics Henrik Stroem writes: > So the REAL issue is if it is OK to define "Changes made to a computer > system without the permission of its users" as harmful. I think this > is an acceptable definition. The harm done may not be to data, but to the integrity of the system that has been violated, and therefore to the well being of the owner of that system. > I don't think we have much to loose by making it a crime to spread > computer viruses. If they have any scientific value at all, they > should be studied by scientists with the proper knowledge and > equipment, not by teenage "wannabe" programmers. Is a person in his or her teen years, therefore, not to be taken seriously as a programmer? Just a question. Karl Tarhk (src4src!ktark@imageek.york.cuny.edu) writes: > Is is common knowledge that virus infection and 'damage' figures > are way out of proportion to scare users and sell more AV software. Common knowledge to whom? I really don't care about the figures, but, being aware of some viruses that have cropped up in my vicinity, would like, and do have, some protection. > The is no such thing as 'the truth.' Is that the truth? > You say 'There is no such thing as a good virus in the wild' > Prove it! Why bother? Isn't it enough that someone is on my property without my permission? On the other hand, maybe they're there to put out a fire I am unaware of. Perhaps intent is important after all. Or better, perhaps results are what is important. Did the uninvited guest: 1 - burn down my house, 2 - eat some of my food, 3 - knap on my couch, 4 - dust my furniture, or, 5 - leave me a fortune? Not all the same thing. Probably all technically illegal, since the guest was uninvited, but I certainly wouldn't want to prosecute the last two actions, maybe only the first. My feeling, though, is that most of what you will find in the world of viruses will not fall into the last two categories, and therefore the need for protection. Alan D. Tegel (olympian@mentor.cc.purdue.edu) writes: > ... She said she would reach a very high score > and then low and behold the whole screen would turn into Japanese letters It might be useful to get someone who can read Japanese to tell you what the screen says. -- Phil Helms Internet: PHIL@MASH.Colorado.EDU Community College Computer Services Denver, Colorado Time: GMT-0700 ------------------------------ Date: Wed, 30 Mar 94 10:09:17 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Help OS/2 Viruses (OS/2) >The problem is that when it attempts to boot off of the hard drive you >get a screen full of multi-colored flashing ascii-text characters. I >can get the machine to boot off the A: drive with a DOS disk (the OS/2 >volume is not using HPFS). I've scanned it for viruses, I've run NDD, >nothing seems to be wrong with the machine So I assume the problem is >with one of the OS/2 start up files. Might also be a MBR infector. These BIOS level infections run *before* the operating system and while they generally require a real mode (OS/2 and many UNIX OSs for an Intel based machine use a 32 bit memory model or "protected" mode) for operation as designed, their redirections can certainly screw up the load sequence. Further, all that is necessary to become so infected would be an accidental boot from the wrong floppy even if it had no or the wrong operating system. There is a relatively new virus called the Int_10 that *might* cause such a display as you mention and not be detected by some current scanners. Just some thoughts, Padgett ------------------------------ Date: Sun, 27 Mar 94 15:41:45 -0500 From: Alan.Thew@liv.ac.uk (Alan Thew) Subject: V2P6 ?? (PC) A UK scanner (viscan) has found a virus called V2P6 in a WordPerfect file (WP 6.0a for DOS) \WP60\CVDWPG2.CVX My first thoughts were that this might be a false positive. Can anyone shed more light on this file and/or virus? Thanks - -- Alan Thew alan.thew@liv.ac.uk ...!uknet!liv!alan.thew Tel: +44 51 794-3735 University of Liverpool, Computing Services Fax: +44 51 794-3759 ------------------------------ Date: Mon, 28 Mar 94 07:37:23 -0500 From: Dave Spitz Subject: Savannah & Jeremy Viruses ???? (PC) Hi all, I've been gatting a lot of mail with bits and piece of info about the 2 aboved mentioned viruses from another virus list. However, the info coming across is not too informational. So, can anyone here enlighten me. Please send me what ever information you may have, I would appreciate it. TIA Dave Spitz VOICE: 1-414-297-7698 Computing Services FAX: 1-414-297-8313 M.A.T.C., Milwaukee, WI. Internet: SPITZ_DAVE@MUSIC.LIB.MATC.EDU "Everything was fine 'till they put hard drives in PCs" ------------------------------ Date: Mon, 28 Mar 94 10:01:02 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Questions about Wildlist (PC) GSCOBIE@ml0.ucs.edinburgh.ac.uk (Garry J Scobie Ext 3360) writes: >catalog number 792. I notice from the Wild List that something called >Yankee Doodle.XPEH.4928 is listed. Can anyone explain the naming >conventions that are being used here? Is the XPEH4 as identified by >Solomons findviru the same? Are they all related to yankee doodle? There is a group of 9 (or so) viruses, which are obviously related, but are also clearly members of the Yankee_Doodle family. They are, however, sufficiently different from other Yankee_Doodle viruses to justify placing them in a separate group. The viruses are: Yankee_Doodle.XPEH.3600 Yankee_Doodle.XPEH.3840 Yankee_Doodle.XPEH.4016 Yankee_Doodle.XPEH.4048 Yankee_Doodle.XPEH.4752 Yankee_Doodle.XPEH.4928 Yankee_Doodle.XPEH.5648 Yankee_Doodle.XPEH.5808 Yankee_Doodle.XPEH.5856 >Finally is there any real difference between stoned.standard and >stoned.wd3. not in the code part - the .wd? variants are just stoned.standard that have been slightly corrupted - in the second half of the text message. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Mon, 28 Mar 94 10:09:33 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: New viruses (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Uh, no, quite the opposite. With the increasing numbers of new viruses >produced, it is quite likely that there will be more and more viruses >which the existing scanners cannot handle in a particular moment. Note that this is true even if the scanners are still able to detect the same percentage of existing viruses - a scanner that detects 95% of the viruses that exist will still miss over 200 viruses....and that number keeps getting larger. - -frisk ------------------------------ Date: Mon, 28 Mar 94 10:14:56 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Compatibility: F-prot 211 and Nav 3.0 (PC) jrice@pomona.claremont.edu (Jeffrey Rice - Pomona College, California.) writes: >two scanning programs around, and I agree with this. But wouldn't also keeping >two programs that scan using different methods be even better? The *method* does not matter - what matters is to what degree the set of viruses they detect - for example, if you use CPAV, adding MSAV will not help you at all. On the other hand, if you pick two good *independent* scanners, you will be a better off than with just one of them. - -frisk ------------------------------ Date: Mon, 28 Mar 94 20:29:55 -0500 From: Dale Morlock Subject: Monkey Curiosity (PC) I just encountered Monkey on a client's PC. I can't find much on Monkey except that it's a stealth virus. What am I dealing with? Any cautions? Thanks! ------------------------------ Date: Tue, 29 Mar 94 00:24:10 +0000 From: c9219517@sage.newcastle.edu.au (Scott Howard) Subject: Re: Clean 111 & Mich. (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : jhs@gall.rdt.monash.edu.au (jhs@gall.rdt.monash.edu.au) writes: : First of all, there could be two possibilities for the screw-up. One : of them is that it has not been Michelangelo, but some similar (yet : still different) variant. In this case CLEAN is *wrong* for not : identifying the virus exactly and attempting the disinfection of the : wrong variant. My advise to the original poster - use a better The only way that a virus detector could be assured of never incorrectly detecting a strain of a virus would be to have a complete copy of the virus that it could compare with that found on disk/in memory. For some viruses you could use a checksum, but not for all. The resulting scanner would then of course be rather too large to be of any use. : disinfector the next time. One that can identify "your" virus exactly : - - like F-Prot, for instance - and which will not attempt to remove the : virus if it is not perfectly sure what to do. Or use some backup Are you saying that F-Prot will never get it wrong?? I think not... Despite that fact that I have never used F-Prot, the documentation makes no claims regarding its abiliaty in this respect. : utilities that save a copy of the original boot sectors and restore : them if modified. As a last resort - use FDISK/MBR, but first make : sure that your hard disk is accessible. As I stated in an earlier port, MIRROR/PARTN is the best option, and anyone without a copy of their partition table on floppy, either from mirror or another program, is really asking for trouble - and not just from viruses. : assuming that the "one way" is CLEAN's way. Somebody else posted that : it is impossible to identify the viruses in memory and to deactivate : them - he is wrong too; this is perfectly possible, only not easy, : that's why almost nobody bothers to do it. If your going to paraphrase me, at least get what I said right. I said : >Considering that there are often dozens of mutations of each virus, it >would be almost impossible to write a program that could actually >deactivate all of them from memory, and even if it could, it would still >have no way of safely de-activating new strains. No, it would not be impossible, but it would be very hard, and also very risky. There is no sensible reason that I can think of that would require such treatment. : Third, it is a surprize to me that McAfee claim "10 years experience" : in the field, especially having in mind that "the field" is about 8 : years old. :-) I remember very well when McAfee seriously entered the : anti-virus business - it was around the DataCrime scare, although, of : course, he might have written virus detectors some months ago. I believe that McAfee was involved in computer security well before viruses were even heard of. Not exactly the same thing, but close enough. Scott. ------------------------------ Date: Mon, 28 Mar 94 22:26:14 -0500 From: Carpenter@UH.EDU (Scot Carpenter) Subject: qpeg hack/virus (PC) Picked this up off another list; hadn't seen it here or in virus-l. >From dnelson@jplpost.jpl.nasa.gov Mon Mar 28 21:16:22 CST 1994 There's a little program called QPEG13K.COM circulating, supposed to be an unprotect for QPEG... it's author recently posted messages to the effect that the developers of QPEG should not hassle him for disabling their protection mechanism, as he did not write it. He may be baiting us to download and run a virus. I was suspicious, and downloaded it to look at its innards...disassembly showed the program changing default drives and (it looked like to me) examining boot sectors. My assembly skills are weak, and disassembly listings are especially cryptic, but my best guess is he is attempting to install his code in your hard disk boot sector. Anyway, I isolated my computer from the network and loaded VSAFE with all protection options enabled, and ran QPEG13K.COM....sure enough, VSAFE caught it doing something nasty. Now I know, lots of programs do things VSAFE will squawk about...going resident for example, or modifying an .EXE file. Maybe someone more at home in the bowels of DOS can look it over to make sure...I could be 100% wrong, but felt everyone should know to at least BE CAREFUL. Toodles.......... Dave Nelson - -- | Scot Carpenter | Decision & Information Sciences | | | carpenter@uh.edu | University of Houston | RK/SAB | ------------------------------ Date: Tue, 29 Mar 94 05:18:02 -0500 From: jouve@manitou.ensmp.fr (Christine JOUVE ) Subject: Generic MBD virus in partition table (PC) Can somebody help me in the removal of the Generic MBR virus ? I have discovered it using scan which have informed me by the message: "Scanning partition table of disk C: Found the Generic MBD [Genp] virus in partition table." Before removing it with clean, I have rebuilt the partition table with my favorite "doctor" (Norton utilities). Every things become right (scan have detected no virus) until reusing scan, a few days later, I have descovered again that my PC is infected by Generic MBR virus. _________ ___ jouve@cc.ensmp.fr / / ENSMP / / /) 60, Bd Saint-Michel __/_ _ _ _ _ / // _ o _ /- o _ _ 75272 PARIS Cedex 06 / / (_) (_(_( \_)-(<_ (___/^_/ /_(_/_)_/_(_/) )_(<_ 33 (1) 40 51 91 41 (_/ ------------------------------ Date: Tue, 29 Mar 94 09:33:35 -0500 From: JDG111@PSUVM.PSU.EDU Subject: Re: Thoughts on FORM infections...(PC) David Hanson says: >I've seen several postings about Form and how hard it is to get rid of. >So, here are some thoughts from my experience. Leaving aside the particulars >of how to remove Form from a disk, there is another important consideration >that is often ignored. > >Form is spread from computer to computer on the boot sector of floppy disks. >The hard drive becomes infected -only- when you attempt to boot from an >infected floppy (bootable *or* non-bootable). Once the hard drive is >infected, it infects -every- diskette you access on that machine, whether >you try to boot from the diskette or not. THanks for posting this. Yesterday we discovered FORM in our office, on only one of about a dozen machines. Unfortunately, it was the one machine we use for duplicating disks we mail out to customers. I was able to clean the infection with McAfee's CLEAN, and we contacted all our customers to let them know of the potential problem. I wasn't sure about Form going resident from a non-successful boot, but your post set me straight. Now, one other question - I don't think Form has a payload, am I correct? If it does, what's it do and when? And while I'm here - where can I find the newest F-Prot and VSUM on FTP? ------------------------------ Date: Tue, 29 Mar 94 15:09:07 -0500 From: dishaw@fortytwo.nosc.mil (James Dishaw) Subject: Re: MS-DOS 6.x Anti-Virus (PC) Sharyn Bray (slbray@deakin.edu.au) wrote: : Hi to all reading comp.virus, : I was wondering whether anyone could offer : an opinion, comment, thought etc. regarding the effectiveness of the : Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, : version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? : Thanks in advance. : Stuart Palmer : (kindly via slbray, kindly via Deakin) I saw an article in several PC type journals that state the bundled anti-virus software is not very good. In fact, subverting them is not difficult at all. The overall best package was F-Prot (or V-Prot). - -jd ------------------------------ Date: Wed, 30 Mar 94 10:08:04 -0500 From: omicron@genie.geis.com Subject: UW-EauClaire Virus Info Needed (PC) If anyone has information on the virus that affected the University of Wisconsin - Eau Claire (and surrounding communities) a few years ago, could they please email it to me. I am doing a research project on computer viruses. Thanks very much. Conrad Capasso omicron@genie.geis.com ------------------------------ Date: Wed, 30 Mar 94 10:07:24 -0500 From: pdcruze@iinet.com.au (Patrick D'Cruze) Subject: Help getting rid of the boot437[genb] virus (PC) [Posting this on behalf of a friend] A friend of mine has somehow infected the boot sector of his hard drive with the: boot437[genb] virus. He has tried using scanv113 and clean113 to rid himself of it. They unfortunately don't work (at least scan113 is able to detect it, scan112 doesn't). He has also tried to reformat the boot sector to rid himself of the problem (using: fdisk /mbr) however this too has failed. Does anyone know how he may rid himself of this virus? What shareware or commercial virus checkers can clean it up (or other disk management tools)? Another related problem is that scan113 is not able to detect which file was originally infected with the virus and hence even after removing the virus there is the possibility that it could once again infect his harddrive. What virus checkers would you recommend to detect this virus and detect the files that have been infected by it (ie, the original carriers of the virus)? Many thanks in advance (and apologies if this is a FAQ). Patrick D'Cruze pdcruze@orac.iinet.com.au ------------------------------ Date: Wed, 30 Mar 94 15:09:10 +0000 From: jaflores@dcc.uchile.cl (RANKI(Jorge Flores)) Subject: Stealth (PC) Hello, how can i remove the virus "stealth", i found it in my computer and i can't remove it with the scan 112. Thanks. Jorge "ranki" Flores. ------------------------------ Date: Wed, 30 Mar 94 10:09:51 -0500 From: "Harry W.Hertz" Subject: packed file is currupt ?? is it a VIRUS? (PC) Hi Folks, I keep getting the msg. "PACKED FILE IS CURRUPTED" on several .COM and .EXE files! No VIRUS found on the Systems. LOADFIX is only a temp. solution to this... Is there any other way to fix this? Is it a VIRUS? What should I do get this solved permaned? Hertzh%lanf@kaiserslau-emh1.army.mil ------------------------------ Date: Wed, 30 Mar 94 11:07:10 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Is speed really important? (PC) src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) writes: >It is pretty obvious Frisk hasn't gotten around detecting DSME yet... >(soon?) Yep...pretty soon.... I have only around 200 other viruses to look at first... Guess this will be a busy Easter... :-( - -frisk ------------------------------ Date: Wed, 30 Mar 94 13:51:43 -0500 From: vzmoran@csupomona.edu (VAROJON MORAN) Subject: Anti-virus? (PC) Can some one tell me what is the easiest and most reliable antivirus program that stays in memory and prevents memory resident viruses... I thought Ms-dos antivirus would do it but it didnt help me when the monkey virus came to my computer... Thanks Jon Vzmoran@csupomona.edu ------------------------------ Date: Wed, 30 Mar 94 14:56:13 -0500 From: fguidry@crl.com (Fran Guidry) Subject: Re: Help! Monkey (PC) Bruce Andrew Carl Douglas wrote: >Hello. > >My Father brought home 4 infected floppies from his school. I was using >McAfee's VSHIELD (v108) and it detected it. >Mcafee SCNA 9.19 v108 later identified it as the Monkey virus located in >the boot sector of his floppies. [stuff deleted about attempted disinfections] >Is this typical of the monkey virus? Is there a way to retrieve the files >on the floppy? You could have copied the files safely from the infected diskettes before taking any other action. This is safe because boot sector infectors must be booted to become active. After copying the files from the bad diskettes you could have formatted the diskettes to remove the infection. Fran ------------------------------ Date: Wed, 30 Mar 94 21:21:20 -0500 From: "Mike Mandili" Subject: Joshi.a (PC) Few of our computers got infected with Joshi I tried exe (March 14 release) I tried f-prot (newest) they did not get rid of the virus. I delete the partition and low level format on one of the computer and I still have the virus. Every time I check for virus clean will tell me that there is Joshi virus on your partition table clean is unable to get rid of the virus!!!! Does anyone have any suggesting or has anyone ran into the same problem? please help. Thank you for all your help. ------------------------------ Date: Wed, 30 Mar 94 22:26:13 -0500 From: junix!cbodine@sinkhole.unf.edu (Clinton Bodine) Subject: NOVADEMO.EXE (PC) I was curious if anyone else has experienced the fun of NOVADEMO.EXE. Forgive me if this is a well known virus. I ran MS AntiVirus and Central Point AntiVirus and McAfree(sp?) Scan v1.11 on my computers and none recognized it as a virus. The file looks as follows: NOVADEMO EXE 257,897 03-04-94 8:38p I can't get Scan v1.13 until tomorrow (March 31), but if anyone has any info on how to fix the problems, please let me know. If noone is very familiar with this file, here are some characteristics: MSAV noted that checksums had been changed, but no other info had changed. On another computer in our lab, files in DOS were disappearing. So we ran MSAV on that computer and discovered that one of the 2 FATs had been changed, so we fixed it. When MSAV finished, EVERY file in the directory was gone. We then looked at several troubled files (bad checksums) and noticed the phrase "Finish demogroup" in the header. There were two different versions of the header, though: USTA APPLICATION and NOVA 1994. We searched the entire disk for the phrase and discovered two copies of NOVADEMO.EXE on only one computer. We ran this program on a floppy with every VSAFE option turned on. It gave an odd message about not being able to initialize hardware and dropping back to DOS. The file had been erased and no other effects were noted. All files that had been erased had the message "Dangerous messenger was here!". Please don't flame me if you really don't care or know everything about this virus. This is my first experience with viruses. No one in our lab has ever had experience with them. But I hope this info can help someone. Clinton Bodine junix!cbodine@sinkhole.unf.edu sinkhole.unf.edu!junix!cbodine ------------------------------ Date: Sun, 27 Mar 94 01:55:06 +0200 From: Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) Subject: Michaelangelo (PC) Hi phillip! > Is there a cure for a hard drive that has been infected with the > Michaelangelo virus? Is the FDISK /MBR command a possible > solution? Yes, it is. Please boot from a non-infected floppy before applying FDISK /MBR. The most important thing is to wipe the virus from memory before cleaning it physically. You may also like to use F-PROT or another killer for cleaning, but, concerning that type of MBR infectors, this command normally works. cu! eppi - --- GEcho 1.01+ * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050) ------------------------------ Date: Wed, 30 Mar 94 10:05:16 -0500 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: tbav612/tbavu612/tbavx612.zip - Thunderbyte anti-virus v6.12 (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): pub/msdos/virus/ tbav612.zip Thunderbyte anti-virus pgm (complete) v6.12 tbavu612.zip Thunderbyte anti-virus pgm, upgrade 6.11->6.12 tbavx612.zip TBAV anti-virus - processor optimized versions The Thunderbyte Anti-Virus utilities are ShareWare. There are four security modules (TbScan, TbScanX, TbClean, TbMon) included. This modules are programmed in assembler and there for very fast! TbScan is a signature, heuristic and CRC scanner. It detects known, unknown and future viruses. TbScanX is the resident version of TbScan. TbClean is the first heuristic cleaner in the world. Even an infected file with an unknown virus can be cleaned. TbMon consists of three resident programs (TbMem, TbFile, TbDisk) which monitors your system against unknown viruses. From version 6.09 a Windows interface is included. These files have replaced tbav611.zip, tbavu611.zip, and tbavu611.zip. TBAV is (from now on) uploaded by it's authors to anon-ftp site ftp.twi.tudelft.nl (in dir /pub/msdos/virus/tbav) and from there distributed to oak.oakland.edu, garbo.uwasa.fi and nic.funet.fi Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl =================================================================== FTP-Admin for the MSDOS Anti-virus software, ftp@ftp.twi.tudelft.nl ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 24] *****************************************