VIRUS-L Digest Friday, 14 Oct 1994 Volume 7 : Issue 84 Today's Topics: Re: Suggestions-anti-virus kit? Re: EICAR 94 Conference Re: ANSI Bomb? Re: Stealth Virus Re: ANSI Bomb? Re: Netcom distributing viruses Re: Netcom distributing viruses Re: Anyone heard of a virus for a SCO XENIX system? (UNIX) PC-virus transportable to mainframe? (PC-VAX/UNIX) Lenart? or CPAV blof. (PC) Thunderbyte anti-virus - how good? (PC) Help needed with PINWORM (PC) Re: vds30p.zip - AV package w/scanner, integrity checker etc. (PC) Partition Table(PC) Re: Virus Source code on CD ROM? (PC) Re: Best Anti-virus software (PC) Re: Info on "Kampana"? (PC) Info need on Hasita / J&M virus (PC) Re: Possible New Virus (PC) GenB Virus (PC) Monkey virus help (PC) can viruses affect ram??? (PC) Re: Possible New Virus (PC) Re: changing genP/genB virus (PC) F-Prot under WinZip (PC) Re: McAfee Virus Scan (PC) Re: Info on "Kampana"? (PC) HELP !! Empire Monkey.B virus (PC) info on 'SMEG' virus? (PC) McAfee (117) & Wordperfect 6.0a (PC) help with a virus (PC) What is wrong? (PC) Re: Jack the Ripper virus: Does a remover exist anywhere??? (PC) Monkey.Stoned virus on multimedia 486 won't go away... (PC) Re: Jumper.B or 2KB virus (PC) Re: .EXE infection: How is it possible? (PC) Re: Integrity Checker? (PC) Re: Re; No_init virus info (PC) Re: VCL?? (PC) Re: Info on "Kampana"? (PC) Re: Help Win 32 Bit File Virus? (PC) Lenart??! DH2 cleaned - but what would it have done? (PC) Re: Possible undetectable virus?? (PC) Re: F-PROT 2.14 is out (PC) Re: symptoms: Insufficient mem to shell to DOS (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 03 Oct 94 19:33:13 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Suggestions-anti-virus kit? Rickker wrote: > I am new to the world of viruses, and am looking for some help in >choosing a virus toolkit. I do service work on people's computers and You should be careful here (aside from the @aol.com part), because a virus toolkit is what is referred to as a toolkit which helps someone write viruses. >would like to add virus protecting/detection/remove to my repetoir. > Any recommendations will be greatly appreciated. Here, though, it is clear this sin't wha you're talking about (!! otherwise you'd get plenty of flames -- well, most likely you will anyways...:)) For shareware, I would suggest looking at F-Prot, which has a high detection rate as well as removal rate. For commercialware, I'd suggest NAV 3.0. Aside from detecting all viruses in the wild, you have a company in your country which you can reach easily and exchange things with if you need to in a reasonable amount of time. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Mon, 03 Oct 94 20:10:15 -0400 From: Anthony Naggs Subject: Re: EICAR 94 Conference I'd like to revise what gcluley@sands.co.uk wrote a few weeks ago: > > EICAR 94 CONFERENCE November 23-25, 1994 "Improving Small Systems' > Security and Safety" > > S&S International, developers of Dr Solomon's Anti-Virus Toolkit, are > hosting this year's EICAR conference. > > The European Institute for Computer Antivirus Research (EICAR) was founded > in 1991 in Hamburg as a European umbrella organization for people and > organisations interested in the virus issue. CARO (Computer Antivirus > Researcher's Organisation) is a related group, consisting of the technical > people from leading antivirus companies, universities, and some private > individuals. Hmmm, there was a meeting (and seminar I believe) in Hamburg, but the formal foundation meeting for EICAR occured a year later in Brussels. I would also quibble with CARO being "related" with EICAR, the organisations exist in parallel with very different objective - though there is informal and formal contact (currently through myself) between the two. > EICAR's conference this year will be held at > ... The venue has been changed to: Sopwell House Hotel, St Albans (near London) > between 23-25 November 1994. The 3 day conference concentrates on > measures, practical experiences and standards to "Improve Small Systems' > Security and Safety". The subtitle is "Reducing Vulnerabilities of Working > Place Computers and Networks in Enterprises, Public Agencies and > Institutions". > > This conference offers the opportunity to talk and discuss with the top 20 > anti-virus technical people in the world. > > Day One of the conference (November 23) is restricted to EICAR working > group and members' meetings Ahem, sorry to be pedantic "Annual Members' Meeting" ought to have capitals. Also there is an afternoon Tutorial Session. > Program Committee: > Alan Solomon (Chair) > Chris Fischer > Fridrik Skulason > Paul Langemeyer > Anthony Naggs FYI: I have resigned from the Programme Committee, for reasons which I have explained to the committee. (Which translates as: I prefer to discuss my disagreements with the people concerned, not in a public forum such as this). > Organisation Committe: > Alan Solomon (Chair) > Julie Bartle (S&S International) > > Prices: > > Non-EICAR member: 595ukp + VAT EICAR member: 495ukp + VAT Optional Tutorial Session (Wednesday): 45ukp + VAT > If you would like more information about this event contact Julie Bartle at > S&S International PLC - email: jbartle@sands.co.uk Regards, Anthony Naggs (editor of "eicar News") Paper mail: Hat 1: Software/Electronics Engineer PO Box 1080, Peacehaven, Hat 2: Computer Anti-Virus Researcher East Sussex BN10 8PZ PGP: public key available from keyservers Great Britain Email: amn@ubik.demon.co.uk Phone: +44 1273 589701 ------------------------------ Date: Tue, 04 Oct 94 17:56:44 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: ANSI Bomb? Rinse Balk wrote: > >> I was wondering if anyone knew of a virus scanner/cleaner that > >> can clean something called an "ANSI bomb"? > >Could someone tell me what a ansi bomb is? >Thanks in advance.. A small sequence, often in a text file, which uses the macro definition capabilities of the ANSI.SYS driver to perform malicious things. For example, once might redefine the "f" key to be "echo | format c:\" or something. Either don't use ANSI.SYS, or use PKSFANSI or one of the multiple drivers which don't allow for keyboard redefinition. Most Term programs and BBS programs filter out ansi bombs from text messages. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Tue, 04 Oct 94 18:00:51 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Stealth Virus Rinse Balk wrote: >Hello All! > >What's a stealth virus? Does it use (new) techniques that should not be >detected by AV-products? A stealth virus is a virus which tries to cover up for it's infection. There are generally two types of stealthing -- filesize stealthing and fileread/open stealthing. Filesize stealthing is when a virus infects a file, but when you type dir, one can not see a growth in filesize. Not all viruses need to be memory resident to perform this. (Dir-II, Darth Vader) Fileread/open stealthing is where a program is "disinfected on the fly" by the virus which must be active in memory. If a system is scanned with this type of virus in memory, it will not be detected in any files. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Tue, 04 Oct 94 18:57:22 -0400 From: btknight@ux5.cso.uiuc.edu (knight brian thomas) Subject: Re: ANSI Bomb? Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) writes: > >> I was wondering if anyone knew of a virus scanner/cleaner that > >> can clean something called an "ANSI bomb"? >Could someone tell me what a ansi bomb is? An ANSI bomb is a bit of code written for ANSI terminals (specifically PCs) that remap the keyboard into something insidious such as echo y | format c: or some such damaging command. - -- X| Brian T. Knight / "Thunder Force" | UIUC CS undergrad/CMDEP mentor |X X| btknight@ux5.cso.uiuc.edu | "It's a new world every day." |X X| Finger for PGP v2.3a key | -- Anonymous |X ------------------------------ Date: Wed, 05 Oct 94 06:03:49 -0400 From: Jack Hatfield Subject: Re: Netcom distributing viruses Regardless of any weirdo or misguided view of the freedoms in the country, one major freedom is to right to protect yourself and your property. I warn any person or company that is distributing any virus, that if my system is infected, I will apply a law already on the books. I will personally arrest the person responsible for violation of California Penal Code Section 594 (Vandalism) and sue the person or company to the full extent of the law. Take my advise, dont screw around with other peoples property just because you think you have some off-the-wall right to do so. Because you DONT and it is HIGHLY ILLEGAL. Jack R. Hatfield (JRHII@DELPHI.COM) ------------------------------ Date: Wed, 05 Oct 94 08:11:03 -0400 From: "The Radio Gnome" Subject: Re: Netcom distributing viruses bradleym@netcom.com writes: >Terry Reeves (treeves@magnus.acs.ohio-state.edu) wrote: >> ygoland@hollywood.cinenet.net (Yaron Y. Goland) wrote: >Alot of people would be happy to see alot of things made illegal. >Fortunately I can't see code being made illegal. And remember, when code >is outlawed, only outlaws will code. > >> Some are designed to protect children. As a US citizen and a citizen >> of the state of Ohio, I am not allowed to give or sell alchohol to minors. >> An adult cannot have sex with a minor. > >But this is a poor analogy. If applied to viruses would be similar to me >infecting your computer. I consider making virus code, or even live >viruses, available similar to showing a minor how alcohol is made, or what >sex is. It's called education, and last I heard it's still legal to learn >things. ...but your own analogy breaks down here. Once again, as I've stated in the past the real issue is CONTROL. Education about sensitive topics like sex, drugs, alcohol and firearms should be done under controlled conditions. Making virus code available for general download is more like making copies of "The Anarchists Cookbook" available in the school library. Children need to be taught about guns, etc. They don't need recipes for firebombs, nor do they need easy access to source code for Stoned or FORM. >> It is a crime to let a virus loose on someone else's computer. > >If the text that makes up virus source code were made illegal, then it >would also not be such a far stretch to say that telling someone to type >"format c: /u" would be illegal as well. I don't think that virus source code should be made illegal, but it definitely needs to be controlled. We have controlled substances on the books and I think we need controlled source code as well. Re: FORMAT, I thought we beat this analogy/argument to death two years ago? We as system managers/support personnel have a reasonable amount of control over format, fdisk, diskcopy, etc. They are known, documented utilities that don't sneak under the door the way a virus does. If a user formats their C drive, then it's their fault. If a virus that some student downloaded and hacked gets into a university lab and slips past F-PROT, that's a whole different matter. Format's damage is limited, viral damage in many cases isn't. >I do agree that some people should not have access to viruses. These are >people that have nothing better to do than try to damage other's >computers. But I don't think that the flow of any information should be >stopped because of a few people. And how can you be 100% sure that "some people" are not netcom subscribers? Do you screen your customers? Andy Wing (CNE) - Temple University Computer Services Big Brother is not watching you, you're watching Big Brother, all 181 channels ------------------------------ Date: Mon, 03 Oct 94 09:31:32 -0400 From: radatti@cyber.com (Pete Radatti) Subject: Re: Anyone heard of a virus for a SCO XENIX system? (UNIX) > Date: Mon, 12 Sep 94 14:42:39 -0400 > From: frisk@complex.is (Fridrik Skulason) > ertan@ponder.csci.unt.edu (Ertan Zanagar) writes: > > > Does anyone know if there is a virus outhere that would > >in any way effect a SCO XENIX system? Any help is much appreciated. > > assuming the hardware is standard, ibm pc compatible, any MBR-infecting > virus may be able to infect the machine, although it will probably be > prevented from spreading, once Xenix takes over. There is a current problem with an MS-DOS virus that is infecting all Intel based Unix systems. The virus was delivered shrink wrap in a device driver for a tape drive. The manufacture was notified and should have corrected the problem by now. Reinstall any tape drive device drivers with a fresh copy and see if the problem goes away. The virus has the effect of strange filesystem changes and random crashes. Pete Radatti CyberSoft, Inc. radatti@cyber.com PS: See everyone at Unix Expo! ------------------------------ Date: Mon, 03 Oct 94 12:02:04 -0400 From: felfs!awsl3@uunet.uu.net (A.W.van Steijn) Subject: PC-virus transportable to mainframe? (PC-VAX/UNIX) Hi there, Anyone heard about the possibilty of a virus which can run on a PC-based (pref. MS-DOS) system and also aible to infect a mainframe??? I now about worms on mainframes but never have heard of them on PC's. Also I know that there are _a lot off_ viruses around, but never known any of them to infect a mainframe (VAX/VMS, UNIX or AS/400). The question was put to me by a friend of mine and beeing an "expert" on security, he thought I could give him a direct answer. If someone has ever heard of such strange things, please email me. Andy AWvSteijn@fel.tno.nl ############################# This is purely my bussiness. ############################# ------------------------------ Date: Sat, 01 Oct 94 15:03:28 -0400 From: Iolo Davidson Subject: Lenart? or CPAV blof. (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se "Amir Netiv" writes: > I don't recall ever > seeing any Anti Virus of your production. Vesselin Botchev is one of the few really expert anti-virus people who is not associated with a commercial product. I think this makes his contribution here even more valuable, as it defuses any talk of bias towards one product or another. > Let's see you do something more productive ;-) We need an honest and respected critic much more than another software supplier. - -- TO A SUBSTITUTE NOTHING HE GAVE A TRIAL BUT HIS SMILE IT TOOK OFF Burma Shave ------------------------------ Date: Sat, 01 Oct 94 15:03:42 -0400 From: Iolo Davidson Subject: Thunderbyte anti-virus - how good? (PC) clotsche@coh.fgg.EUR.NL "Pim Clotscher @ COH" writes: > Where can I get objective information about the thunderbyte > anti-virus package? There was a review/test in Virus Bulletin of > july 1994, but I have no access to that information. Can anybody > tell the conclusion / strong points, weak points, etc.? I expect Richard Ford will be along to summarize the VB test. In a test in SECURE Computing (I'm technical editor) of *just* the ability to find viruses in memory, which is important for combating stealth viruses, Thunderbyte came off worst of the ten products tested, with a score of 2 out of a possible 24. Products that scored well were Dr. Solomon's (24), McAfee (22), Virex (21), FProt (20). I understand Thunderbyte is considerably better at finding viruses in files and on disks than its performance in the memory detection test might suggest. - -- TO A SUBSTITUTE NOTHING HE GAVE A TRIAL BUT HIS SMILE IT TOOK OFF Burma Shave ------------------------------ Date: Sat, 01 Oct 94 20:09:56 -0400 From: Zvi Netiv Subject: Help needed with PINWORM (PC) -=> Quoting Jay Fuller to All <=- JF> I've had a caller report to me on my system he is infected with JF> pinworm ,and he is really anxious to get a clean for it. is there a JF> clean out anywhere which will totally get rid of Pinworm? JF> Really appreciate it! Hello Jay, Yes, there is a way to totally get rid of Pinworm, with the IVX generic correlation scanner. Pinworm is in the wild for already 6 to 8 months and although samples were sent to most leading AV developers, there is not one signature scanner that I know of at this moment that detects it in files. The generic correlation scanner, included in InVircible version 6.01+, will identify all the files affected by Pinworm, when correlated against one sample file, known to be infected! It's easy to recognize such file - just look in your DOS directory and find one file that increased in size, at the most - just purposely infect one by running the file, CHKDSK for example. A few instruction to get it right at the first shot: As Pinworm is heavily encrypted and polymorphic, decrease the detection threshold to 1% (one percent) instead of the 20% default. At the most, a couple of innocent files may be incriminated, but you got all the infected ones as well. Operating with IVX is somewhat similar to what surgeon do to malignant tissue - excuse the analogy, but that's the simplest way to explain it. IVX will rename the affected files to non executable extensions, list them in a report, and you can then replace the infected ones from backup. Pity your friend didn't have InVircible installed before being hit. You could have recovered the infected files in a minute or so, as well as having spotted and removed the infection source! Don't bother sending me samples, I don't need them! Best Regards, Zvi Netiv, InVircible . Available at: ftp.datasrv.co.il/pub/usr/netz/invb601.zip . Registering InVircible in the US, call 1-800-NOVIRUS ------------------------------ Date: Sat, 01 Oct 94 23:29:01 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: vds30p.zip - AV package w/scanner, integrity checker etc. (PC) tyetiser@gl.umbc.edu (Mr. Tarkan Yetiser) says: > >I have uploaded to the SimTel Software Repository (available by anonymous >ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): > >SimTel/msdos/virus/ >vds30p.zip AV package w/scanner, integrity checker etc. > >VDS 3.0p is a comprehensive anti-virus package with a fast scanner, >robust integrity checker, decoy launcher, generic remover, excellent >network support and an easy-to-use user interface. It also includes a >low-level disk utility to effectively deal with boot sector viruses. > >Special requirements: None > >vds30p.zip has replaced vds30m.zip. > >ShareWare. Uploaded by the author. > >Tarkan Yetiser >tyetiser@cyberia.com > Has any one/organization tested this tool yet? Is it any good? - --- Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Sun, 02 Oct 94 15:59:01 -0400 From: g9417079@uow.edu.au (HUNDEWALE NISARAHMED) Subject: Partition Table(PC) hi, can u tell me how do i remove virus from partition table? I've got Windows 3.1 running on that PC. Thanx g9417079@cc.uow.edu.au ------------------------------ Date: Sun, 02 Oct 94 16:49:46 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Virus Source code on CD ROM? (PC) Mike McCarty (jmccarty@spd.dsccc.com) wrote: > Ian Douglas wrote: > [stuff deleted] > )What the heck do you think Ludwig is doing? Or is selling viruses somehow > )different to spreading them? > Yes, selling and spreading are different things. Labs sell HIV. They do > not spread it. Do they sell to anyone? > )We just had this major debate on FidoNet and I have no particular desire to > )have it all over again. Suffice it to say that the underground failed to > )convince us that giving free access to viruses and virus source code was a > )good thing. > Nor do I. I am not posting to Fido Net. I am not underground. I do not > know who "us" is, but I am convinced that freely accessible virus source > will make writing viruses a thing of the past. There is probably no hope > of discussing this with you further. Aye. "us" is the AV crowd... > )In general, they failed to understand the link between freedom and > )responsibility. > I -do- understand this. Anyone who obtains and misuses a virus should be > held accountable. Just as anyone who obtains a match and misuses it > should be held accountable. Parents teach their kids that burning other people's stuff is Not Done. However computer ethics are not taught yet... and until they are, those people with dangerous code must be careful who they give it to. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 34 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 02 Oct 94 19:25:55 -0400 From: hamrag@cix.compulink.co.uk (Humbug Software) Subject: Re: Best Anti-virus software (PC) This message was submitted by hamrag@cix.compulink.co.uk (Humbug Software) to list virus-l@lehigh.edu. If you forward it back to the list, it will be distributed without the paragraphs above the dashed line. You may edit the Subject: line and the text of the message before forwarding it back. If you edit the messages you receive into a digest, you will need to remove these paragraphs and the dashed line before mailing the result to the list. Finally, if you need more information from the author of this message, you should be able to do so by simply replying to this note. - ----------------------- Message requiring your approval ---------------------- Sender: hamrag@cix.compulink.co.uk (Humbug Software) Subject: Re: Best Anti-virus software (PC) Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) wrote: >In the latest edition of Byte is a NLM av test.. >Someone else has my edition, so i can't give you the results. >I can remember that they weren't very pleased with Netshield. In my opinion the review was a complete waste of time and has only succeeded in bringing Byte into disrepute. I believe Fridrik Skulason of F-Prot and Vesselin Bontchev have made similar comments about the quality of that "av test", and the review made a large number of inaccurate comments and misunderstandings about the product I represent. Virus Bulletin have reviewed a number of the popular anti-virus NLMs. Maybe they would be a better source for information. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk]: S&S International PLC Product Specialist, : Alton House, Gatehouse Way Dr Solomon's Anti-Virus Toolkit : Aylesbury, Bucks, UK ------------------------------ Date: Sun, 02 Oct 94 19:26:16 -0400 From: hamrag@cix.compulink.co.uk (Humbug Software) Subject: Re: Info on "Kampana"? (PC) dklein@pluto.njcc.com (Dorothy Klein) wrote: > OK so far. But when I tried to find information on Kampana, > it wasn't in the virus descriptions accessable from F-Prot. It's in F-Prot 2.14 as "Campana" with a "C". Though I think it should have a 'K' myself.. It's also known as Telefonica (the name of the Spanish telephone agency), and by some scanners as Spanish Telecom. Kampana is a memory-resident file virus, and partition sector virus dropper. It infects program files on execution, and replicates in the usual way. It doesn't do this if Stoned is present. The following text is found inside the virus: "(C) 1990 Grupa HOLOKAUSTO (Barcelona, Spain) KampanaAnti-TELEFONICA: Mejor servicio, Menores tarifas..." After a number of reboots from an infected hard disk, sectors on the disk are erased. I seem to remember Dicky Ford of Virus Bulletin telling me his encounter with this beastie was his entry into the world of computer viruses. Graham - --- Graham Cluley [gcluley@sands.co.uk]: S&S International PLC Product Specialist, : Alton House, Gatehouse Way Dr Solomon's Anti-Virus Toolkit : Aylesbury, Bucks, UK ------------------------------ Date: Mon, 03 Oct 94 04:28:23 -0400 From: Mikko Hypponen Subject: Info need on Hasita / J&M virus (PC) Michael Vollmer (vollmerm@fh-nuertingen.de) wrote: > I need infos about the virus Hasita / Genp (so called by McAfee SCAN) > or J&M (so called by F-Prot)? Who can help me? Well, this virus was mentioned briefly in the F-PROT Professional 2.13 Update Bulletin, which was published in June 1994. Here's the relevant section (F-PROT Professional Bulletins can be ftp'd in full from oak.oakland.edu, ftp.informatik.uni-hamburg.de and ftp.datafellows.fi): J&M - --- A new boot sector virus called J&M has been reported to be in the wild in the Czech Republic, Hungary and Poland. This virus infects diskette boot sectors and hard disk MBRs in the usual manner. J&M is a destructive virus, activating on the 15th of November. Upon activation, it enters an infinite loop and formats the first tracks of the first hard drive. There has also been a large-scale outbreak of J&M in Iceland. This is quite remarkable in itself, since before this incident no new viruses had been detected in Iceland for over two years. The virus was probably brought into Iceland in a portable PC which had been infected while its owner was traveling in Eastern Europe. F-PROT is able to detect and disinfect the J&M virus. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi 'Of course this system supports n\061tion\061l ch\061r\061cters' ------------------------------ Date: Mon, 03 Oct 94 10:13:21 -0400 From: Mikko Hypponen Subject: Re: Possible New Virus (PC) Joeshmoe (joeshmoe@world.std.com) wrote: > I have learned some more information about this virus. > > 1. It only infects .EXE files. > 2. It is memory-resident > 3. It only infects .EXE files when they are accessed. > 4. It has been distributed on several pirate FTP sites, listed as "ARJ 3.0 > (Registered)" It seems that the virus you had was VLamiX. However, you mentioned that EXE files were grown by 1091 bytes - are you sure about this? The reason I'm asking is that the version of VLamiX we've seen was 2206 bytes in size. In any case, here's a short description of VLamiX, taken from the F-PROT Professional 2.14 Update Bulletin: VLamiX - ------ The VLamiX virus spread through BBS systems in an archive called A30!PWA.ZIP. The archive was supposed to contain the version 3.0 of the popular ARJ archiver. Robert Jung, the author of ARJ, has confirmed that ARJ 3.0 has not been released. The whole incident happened near the end of August. VLamiX is a simple resident file virus; it infects EXE files when they are opened, and appends an encrypted copy of itself. It uses a simple encryption routine with a 16-bit decryption key which changes between infections. However, the decryption routine does not change and it makes the virus easy to spot. The virus contains several bugs. It often manages to corrupt a file irreparably instead of infecting it. The name VLamiX is taken from a text string found underneath the viruse's encryption: smartc*.cps chklist.* -=*@DIE_LAMER@*=- CHKLIST ??? CHKLIST.CPS VLamiX-1 VLamiX attacks CPAV and MSAV by deleting their checksum files. F-PROT 2.14 detects the VLamiX virus. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi 'Of course this system supports n\061tion\061l ch\061r\061cters' ------------------------------ Date: Mon, 03 Oct 94 11:15:13 -0400 From: news@vdd.vlsi.ll.mit.edu Subject: GenB Virus (PC) My dad just called me to ask for some help on getting rid of a virus called GenB. His antivirus program detects it, removes it, and says that it is all gone. When the computer is turned on again, the virus has reappeared. Any ideas on how to properly kill this thing. Please send responses directly to rich@vdd.vlsi.ll.mit.edu Thanks Rich D'Onofrio MIT Lincoln Laboratory ------------------------------ Date: Mon, 03 Oct 94 12:51:53 -0400 From: Subject: Monkey virus help (PC) I have lots of diskettes infected wid the monkey virus, according to my school's antivirus scanner; i tried to use their antivirus software, Mcafee . But i didn't seem to work. I also have a few disks infected wid the genb virus... ; can anyone tell me about a good software program that finds and kills these viruses. I also think that my PC's hard drive of about 240mb, may also be infected. I hope that there's some good antivirus software out there that can eliminate viruses in hard drives, without the need of reformating again... thank Rafale Chan ------------------------------ Date: Mon, 03 Oct 94 13:07:57 -0400 From: Subject: can viruses affect ram??? (PC) My PC uses ms-dos 5.00, and I ran the mem.exe file from DOS to check how much RAM i had available to run my programs. I also realize that the RAM base was 638KB only , instead of the usual 640KB for basic RAM. I'm not sure if this has someting to do with viruses but i think that possible. If there's anyone who has had this kind of problem before and was able to fix it, please send me some info on how I can gain back those 2KBs missing in my RAM. Thank you very much Rafale Chan ------------------------------ Date: Mon, 03 Oct 94 12:39:06 -0800 From: a_rubin%%dsg4.dse.beckman.com@biivax.dp.beckman.com Subject: Re: Possible New Virus (PC) joeshmoe@world.std.com (Joeshmoe) writes: >I have recently been having problems on my computer that leads me to belive >I have a virus: > 1. The first thing I noticed, was that I started getting a message > saying "Too many files open" when I tried to run certain programs. > This got more frequent, to the point where just running the > programs in my AUTOEXEC.BAT gave me this message. Some of the other things you said lead me to believe you have a virus also, but this, alone, can happen with other file-corrupting systems (such as Windows :-))) - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arubin@pro-sol.cts.com (personal) My opinions are my own, and do not represent those of my employer. This space intentionally left blank. ------------------------------ Date: Mon, 03 Oct 94 19:35:08 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: changing genP/genB virus (PC) Rob Vlaardingerbroek wrote: > > by SCAN 117 when reporting those viruses: > >- --cut-- >The following was nice and probably right, but are you aware that the official >mcafee software nowadays is called scan 210e. Think you should use that in a >test like this, not knowing the results, could be the same :-) Actually, I heard that the newer scan has an even more poor detection rate than the newer version. This is probably why most people have not moved to it. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Mon, 03 Oct 94 22:05:06 -0400 From: mike.murphy@atlwin.com (Mike Murphy) Subject: F-Prot under WinZip (PC) I need some help with F-Prot v2.14 (or any version for that matter). I use Windows religiously and would rather not go to DOS (although I know DOS and have used it since 1986). I use a ShareWare called WinZip v5.5 (which I highly recommend!!) to test downloaded files. I would rather use F-Prot to do the virus scanning in Iconized background (not visible as a DOS session). The problem comes with the report. When F-Prot is finished scanning, WinZip brings up the report. There is no information. I have read over the command switches and nothing seems to fit into that category. This is different with McAfee, which offers a complete and detailed report using these switches: /nomem *.*/all/sub To all the F-Prot gurus (Fridirk Skulason?)...PLEASE help...I would rather use F-Prot than McAfee any day. Thanks...Murfster mike.murphy@atlwin.com - --- CMPQwk #1.4. UNREGISTERED EVALUATION COPY - ---- +---------------------------------------------------------------------+ | The Atlanta Windows BBS (404)516-0048 9 high-speed USR nodes | | Largest Win-specific BBS in the SouthEast- CDROMs, RIME, INTERNET | +---------------------------------------------------------------------+ ------------------------------ Date: Mon, 03 Oct 94 23:30:55 -0400 From: gpinzone@ic.sunysb.edu (King of All Tech Support) Subject: Re: McAfee Virus Scan (PC) jmccarty@spd.dsccc.com (Mike McCarty) writes: >Vesselin Bontchev wrote: > >[stuff deleted] > >)The new VirusScan as it is now (version 2.10) is *significantly* worse >)than the old one (version 117) in the sens that it detects much fewer >)viruses and has much more unreliable detections. Therefore, I wouldn't >)advise anybody to rely on it for virus protection - at least not until >)it catches up with the old one. > >I also find it gets stuck in infinite loops. I tried to load it high with QEMM 7.5 and it would totally lock up the system. Also the VSHLDWIN.EXE program reported the the VSHIELD.EXE program was not run when it obviously know that it was. I have always used F-Prot and McAfee virus scanners and protectors. I have yet to run into a situation where one found a virus and the other didn't. Most people on the net seem to perfer F-Prot over Mcafee, however, my concern is over Windows. McAfee has a Windows module, F-prot doesn't, nor does it mention that it is active in Windows. Since I am a newcomer here, I'd like some advice. BTW, McAfee suggests that the 2.11 is better than 117 and they will NOT continue the 1xx line of scan, clean, and vshield. ------------------------------ Date: Tue, 04 Oct 94 06:42:29 -0400 From: chl@dmu.ac.uk (Conrad Longmore) Subject: Re: Info on "Kampana"? (PC) dklein@pluto.njcc.com (Dorothy Klein) writes: > OK so far. But when I tried to find information on Kampana, >it wasn't in the virus descriptions accessable from F-Prot. The >big summary DOC just says that Kampana is detected exactly and disinfectable >with F-Prot. VSUM doesn't list Kampana ANYWHERE -- I did a full search for >it. Kampana is also known as the following: Campana, Telecom Boot, Telefonia Boot and Anti-Tel. I'm afraid it's just another victim of non-standard names. :( >"Campana" means "bell" in Spanish -- would this virus by any chance >make the computer beep? The virus does appear to originate from Spain. Probably "bell" refers to a telephone bell or some such. - -- / Conrad Longmore / De Montfort University, / Tel: (01234) 351671 x273 / / IT Services / Bedford Polhill Campus, / (01234) 351966 x377 / /-----------------/ Polhill Avenue, Bedford / Fax: (01234) 217738 / / chl@dmu.ac.uk / MK41 9EA, United Kingdom / Mobile: (0374) 747631 / ------------------------------ Date: 04 Oct 94 07:27:46 -0400 From: robgarr@wvnvms.wvnet.edu Subject: HELP !! Empire Monkey.B virus (PC) I currently have a diskette with the Empire Monkey.B virus, I tried to use f-prot 2.14 the latest version. F-prot says the virus was removed, but if you scan it again the virus is still there. Anyone out there have a clue on what I should next ?? Please E-mail your suggestion to Garrison@wvuaccess1.acc.wvu.edu ------------------------------ Date: Tue, 04 Oct 94 15:42:14 +0000 From: julianh@sni.co.uk (Julian Haddrill) Subject: info on 'SMEG' virus? (PC) Dear All, We have had a warning here that the 'smeg' virus is on the loose around our networks. But I can't find any information about it. Can anyone please give me some details about this virus/strains? Regards, Julian ------------------------------ Date: Tue, 04 Oct 94 11:42:04 -0400 From: THE GAR Subject: McAfee (117) & Wordperfect 6.0a (PC) Can anyone explain to me why when I load Wordperfect WITHOUT vshield in memory it loads in under 10 seconds, but when I load it WITH vshield it takes 1 minute 35 seconds? Is there a fix for this? Performance THROUGHOUT the use of Wordperfect 6.0a for windows is SIGNIFICANTLY IMPAIRED when Vshield is in memory. /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Supervisor Computer Networking and Repair ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: Tue, 04 Oct 94 11:42:57 -0400 From: ROBARR@idl.org.pe (Roberto Arroyo) Subject: help with a virus (PC) I have some problems here in peru. We have at least 2 machines contaminated with a 'supposed' virus. The symptoms are: - - time changad to 00:00:00 or 12:00:00am - - command.com grows in size (dos .50 changes form 47xxxx to 50xxx - - Ventura (GEM version) don't run (the program freezes after the cursor appears. If somebody can help me i'll be very grateful. Please answer directly to my address since im not in virus-l anymore. Roberto Arroyo IDL Postmaster robarr@idl.org.pe postmast@idl.org.pe - -------------------------------------------------- robarr@idl.org.pe - postmast@idl.org.pe Postmaster del Instituto de Defensa Legal Toribio Polo 248 - Miraflores tlf: 410192 anx 27 - -------------------------------------------------- ------------------------------ Date: Tue, 04 Oct 94 11:50:45 -0400 From: nghict@singnet.com.sg (Charles Ng) Subject: What is wrong? (PC) I scanned my PC using Vshield 5.61 V 116 and only found a [GenP] virus when running c:\windows\smartdrv.exe /double_buffer or c:\dos\smartdrv.exe /double_buffer in my config.sys file. I've tried re-installing a new dos/windows (protected disk) and yet the problem persisted. Can anyone explain this? ------------------------------ Date: Tue, 04 Oct 94 13:20:20 -0400 From: karpens@frodo.ncssm.edu (Simon Karpen) Subject: Re: Jack the Ripper virus: Does a remover exist anywhere??? (PC) If the virus only infects the boot record, boot up from a clean (write protected) DOS floppy (with FDISK, etc.) and run FDISK /mbr. That will overwrite the MBR with a new one (assuming your MBR boots to DOS, as this would mean a Linux user would need to re-install LILO or OS/2 would need to reinstall boot manager, but this will eliminate almost any MBR virus. Hope this helps. - -- Simon Karpen karpens@ncssm-server.ncssm.edu flames to /dev/null DOS is dead, long live Linux #include ------------------------------ Date: Tue, 04 Oct 94 14:52:04 -0400 From: Iolo Davidson Subject: Monkey.Stoned virus on multimedia 486 won't go away... (PC) BERGERA@Citadel.edu "Andy Berger - ITS User Support Services 803-953-6988" writes: > Tried FDISK/MBR to no avail. Tried F-Prot and CLEAN with no > effect. F-Prot says to boot from a clean disk. When I do this, > it "disengages" the hard drive so the system doesn't recognize > it. Reboot from the hard drive and the drive "pops" back to life > as if nothing happened. This can happen if you boot with an early version of DOS (v3.x) and the C: drive has been formatted larger than 32Mb with v4.x or later. Or it can be a virus (monkey does do this). You can also have a virus without this effect. > Microsoft Antivirus doesn't even find the virus. There are thousands of viruses MSAV won't find. Try a better and more up-to-date scanner. > It hasn't done any damage(yet) so maybe there's really no > virus???? Most viruses don't do any particular, noticeable damage. Those that do harm may not do it right away, or may do subtle damage you don't notice right away. - -- TO A SUBSTITUTE NOTHING HE GAVE A TRIAL BUT HIS SMILE IT TOOK OFF Burma Shave ------------------------------ Date: Tue, 04 Oct 94 18:08:57 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Jumper.B or 2KB virus (PC) Carole Sparke wrote: >Has anyone come across information on a virus identified as Jumper.B by >the F-PROT software or 2KB by the McAffee SCAN software? I'd be >interested to know what it does (retrospectively now that we have cleared >up the infection and have a copy isolated!). A pointer to an FTP-able >information file would be fine if the answer's a long and complicated one. Hm. I have examined a virus called, "Jump.466" before, which doesn't attempt to do anythign intentionally harmful to the system. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Tue, 04 Oct 94 18:25:27 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: .EXE infection: How is it possible? (PC) Diego Montanez wrote: > I have a question: how does a virus manage to attach itself to > an executable file (.COM, .EXE) and still the executable can > be run (of course, after the viral code has been executed)? Well, there are many infection methods for .COM file types, but I will explain the first method (This also leaves out a few details here and there, and by no means is anything fixed. :)) : 1) The virus is executed. 2) It looks for some other .COM file to infect. Once it finds one, it opens it up for reading. It reads in the first three bytes and records the length of the file it is going to infect. 3) The first three bytes are placed in a static data area inside the body of the virus in memory. 4) The virus writes an E9 (JMP) opcode to the first byte of the original file, and writes a new jump displacement as a word value immediately after it. This value is directly related to the viruses length and the exectuion point of the virus. 5) The virus writes its entire self to the end of the file, including the data area which has the original three bytes of the real program. - -=- The next time this file is executed, it follows the jump to the end of the file and does the above four steps. (while the pseudo germ also does this stuff below, I left it out intentionally): 6) The virus then moves the three bytes from the storage area to CS:100 in memory. 7) Control is returned to cs:100. - -=-=-=- EXE ifnection is similar, except things saved are CS:IP and SS:SP offsets in the EXE header as a bare minimum. Some virus also adjust other fields, such as program size and such. Basically, .EXE fies have a pointer to where the beginning of the program is and the beginning of the stack is. The virus just records these and changes them to point to itself. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Tue, 04 Oct 94 18:29:38 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Integrity Checker? (PC) Piet de Bondt wrote: >Jeffrey Rice - Pomona College, California. wrote: >> I noticed a few posts ago a bit on how NAV's inoculation isn't as >>secure as it could be. (I think it was Vesselin....) Anyway, that is about >>the only part of NAV I do rely on. I know some other products have checksuming > >F-Prot and TBAV at least do a sanity-check on their own programs, and (as Since I suppose this could be considered a part of integrity checking, for your own info, NAV also performs a sanity check on itself to make sure it is not infected with a known or unknown virus. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Tue, 04 Oct 94 18:29:42 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Re; No_init virus info (PC) Kazatski Oleg Nikolaevitch wrote: >brett_miller@ccm.hf.intel.com (Brett Miller - N7OLQ) writes: > >> I am looking for information on the no_init virus. I have checked many >> different sources and can not find any mention of this virus. > >*** SCAN *** > >A Infects Fixed Disk Partition Table-A-------------------+ >9 Infects Fixed Disk Boot Sector-----9-----------------+ | >8 Infects Floppy Diskette Boot-------8---------------+ | | >7 Infects Overlay Files--------------7-------------+ | | | >6 Infects EXE Files------------------6-----------+ | | | | >5 Infects COM files------------------5---------+ | | | | | >4 Infects COMMAND.COM----------------4-------+ | | | | | | >3 Virus Installs Self in Memory------3-----+ | | | | | | | >2 Virus Uses Self-Encryption---------2---+ | | | | | | | | >1 Virus Uses STEALTH Techniques------1-+ | | | | | | | | | > | | | | | | | | | | Increase in 0 Contains accurate info -----------0-+ | | | | | | | | | | Infected > | | | | | | | | | | | Program's > | | | | | | | | | | | Size > 0 1 2 3 4 5 6 7 8 9 A | > | | | | | | | | | | | | >Virus Disinfector V V V V V V V V V V V V Damage > >No-Int [Stoned] Clean-Up N . . x . . . . x . x N/A O This virus infects the Hard Disk Master Boot Sector and does not at all modify the Partition DATA Table in this sector. The "fabulous" thing about this ivirus is that is executes no INT instructions in it, which I believe was the first virus to do so. This sin't anything fancy, except that some time ago, soem anti-virus products thought they would be able to use "am i in memory" checks that viruses used with interrupts (kinda like in Ralf Browns interrupt list) to determine whether or not a virus was in memory. Needless to say, this was not the best idea and it caused many systems to crash when some weird interrupt was called and already used for some other BIOS deal or similar function. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Tue, 04 Oct 94 19:03:56 -0400 From: btknight@ux5.cso.uiuc.edu (knight brian thomas) Subject: Re: VCL?? (PC) theoj00@DMI.USherb.CA (JEAN-FRANCOIS THEORET) writes: >Does anyone know where can be found the VCL (Virus Creation Vibrary)? Should >we really be alarmed about the emergence of such products? The VCL was an interesting endeavor but never really got anywhere due to bad distribution. VCL initially outputted assembler code based on what the user thought was necessary/fun/damaging enough/etc. and the user would assemble the code, put it into an executable, and ship the code off to unsuspecting users. Problem was, nobody could ever get VCL to expand on their hard drives. It was ZIP-encrypted with a password first of all, then the install asked for a password. The install program ALWAYS invalidated the distribution files and told you to go somewhere else to get them. Of course, there were no numbers to call or email addresses to send to, so interested parties were SOL. Secondly, after analyzing the sample output (which was included in the ZIP and not in the install archive), I found it to be no different than any other common viruses or their variants (Stoned, Dark Avenger)... in many cases the code was nearly identical and any virus program could have picked that out. VCL: Good idea, bad execution. - -- X| Brian T. Knight / "Thunder Force" | UIUC CS undergrad/CMDEP mentor |X X| btknight@ux5.cso.uiuc.edu | "It's a new world every day." |X X| Finger for PGP v2.3a key | -- Anonymous |X ------------------------------ Date: Tue, 04 Oct 94 23:23:27 -0400 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Info on "Kampana"? (PC) dklein@pluto.njcc.com (Dorothy Klein) 30 Sep 1994 Wrotes: > Today I was asked to rescue a PC which had seized due to > F-Prot's VIRSTOP nipping an epidemic in the bud. The grand total so far > is two floppies and the virstopped hard drive. F-Prot version 2.09d > called it "Kampana Variant A", said it was an MBR infector, and > disinfected it readily. I greatly suspect the infection route was > from floppy to hard drive, and not the reverse. > OK so far. But when I tried to find information on Kampana, > it wasn't in the virus descriptions accessable from F-Prot. Virus information in F-prot are Accurate but gives only basic references to users. I was wondering about good info resources too, but I CAN'T find anything to recommend to clients or friends (or just like me when I'm in hurry). > The big summary DOC just says that Kampana is detected exactly and > disinfectable with F-Prot. > VSUM doesn't list Kampana ANYWHERE -- I did a full search for it. Don't look for Kampana, look for "Campana" ^ ------- > So what I'd like to know is, does Kampana play dirty tricks, by > design or by defect? I've got a very worried, computer-illiterate > professor who is freaking over the infection. > > Any information will be greatly appreciated! - ----------------------------------------------------------------------------- The Campana Virus: Name : Campana Alias: Telefonica, Anti-Telefonica. This virus is a resident infector of diskette boot records and Hard disk master Boot record. When PC is booted from an infected hard disk or diskette the virus is loaded in memory and reduces it by 1024 bytes. Infects Hard Drives and drives A and B . After about 400 boot from an infected hard disk or diskette the virus writes random data to the Hard disk an displays a message: Campana Anti Telefonica. ^------------------------- Note: This is NOT an "n" is the caracter ALT+164. Translation and explain: To English -----------> Anti Telefonica Campaign. Telefonica is a Telephone company in Spain (and now here in Argentina) This virus was ovbiously created in Spain. The virus has semi-stealth capabilities and returns an image of an uninfected boot record. - ------------------------------------------------------------------------------ > TIA, > Dorothy Klein dklein@pluto.njcc.com > grad student, Microbiology and Molecular Genetics, Rutgers University > More details, if you're interested... > > The infection _might_ have come from Spain, as it was found on some disks > owned by a new researcher fresh from there. Yes see above. > "Campana" means "bell" in Spanish Yes, that's true, but it's not the word. See above. Kind regards Ruben Arias - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Tue, 04 Oct 94 23:56:20 -0400 From: jones@cbdb1.nimh.nih.gov (Doug Jones) Subject: Re: Help Win 32 Bit File Virus? (PC) Lenart??! Forgive me if this is a faux pas, but this may be worth an "alert". This virus seems to be spreading across the Washington, DC / Baltimore area (Howard County Commmunity College, Johns Hopkins University, and (reportedly) University of Maryland). This is my first post here, I came trying to find info about "Lenart", because that is what CPAV reported when it cleaned the hard disk. This was not, however, in the CPAV virus list (Dec. 1993), nor is it in the NAV (10/1/94) list. I find from this newsgroup that this is an alias for CARO's "AntiCMOS". I am unfamiliar with this virus (I've been fortunate, this is only the third virus I've actually seen in 2 decades of computer work). In the 3 incidents where I have first hand knowledge, no damage had occurred, but the virus seems to have been spread by non-bootable floppies containing only word processor documents and no executable files - seems odd (?). Also, NAV with June 1994 virus definitions failed to detect any abnormality (run from a write-protected floppy), but CPAV detected "Lenart" when run from the infected hard disk. I have a feeling that disabling Windows 32-bit file access is probably _not_ the intent of the virus; rather I suspect that WDCTRL had "stumbled" across something unexpected and become confused. Indeed, disabling 32-file access enables Windows to load without complaint, but, obviously, the virus is still alive and well. I was called in as a consultant about the Windows load problem, and, unfortunately, I was too late to get a "specimen" or find out if the Sept 1994 NAV would detect a problem (CPAV had already cleaned the hard disk and the floppies). I have a request, please. Would one of the many skilled and knowledgeable AV experts who follow this forum pass along more info about this virus, or what it might be, and what if any damaging consequences may result from infection? Do you think that CPAV reporting "Lenart" means it actually is AntiCMOS.B? Would this interfere with 32-bit file access as described below? (The symptoms I observed were _exactly_ as described by the writers quoted.) Hope this gets noticed through the flames - as a newbie to this group, I realize its not my place to say, but I've been around a number of groups, and IMHO you got more than most here, and they are hotter than most... :) Thank you very much, Doug jones@cbdb1.nimh.nih.gov *****DIRECT replies strongly encouraged!!! All opinions etc. strictly my own and not those of my employer. Gerhard Kluenger writes: >Subject: Re: Help Win 32 Bit File Virus? (PC) >Date: 23 Sep 1994 16:01:24 -0000 >: > Help We have been getting an error message when >: > starting Windows 3.1 about not being able to start 32 Bit File Access. >: > This machine has been running for 8 months without this message. >: > It has now jumped to another machine through a bootable diskette. >I encountered a similar problem, after by accident I had a diskette in my >A-drive (without system)... the msg: > "The MS Windos 32-bit disk driver WDCTRL cannot be loaded. There is >unrecognizable disk software installed on this computer. The address that >MS-DOS uses to communicate with the hard disk has been changed. Some software, >such as disk-caching software, changes this address. " >3 days later I noticed, that my system clock was back exactly 1 day (1 day >date delay, time was OK). >What I wonder is, that my IBM-AV (about 8 month old version) shield didn't >say anything, when I used this diskette the first time to tranfer an AMI-PRO >textfile from a friend. (After this I forgot it in the drive and next time >powering on I got the troubles described before). ------------------------------ Date: Wed, 05 Oct 94 05:20:26 -0400 From: seanl@harlequin.co.uk (Sean Lange) Subject: DH2 cleaned - but what would it have done? (PC) Hi folks, I have just successfully (I hope) removed the DH2 virus (McAfre Scan found it) from my machine. The only noticable effect was to display 'SW' on the screen when changing screen modes. But my question is - what would it do if I left it, or was it harmless (it certainly infected just about every .exe on the machine). Thanks - - sean ------------------------------ Date: Wed, 05 Oct 94 05:52:33 -0400 From: mfoss@sognsvn68.sio.uio.no (Marco Foss) Subject: Re: Possible undetectable virus?? (PC) mcafee@netcom.com (McAfee Associates) says: [Stuff deleted] >To avoid this in the future, try setting the TEMP variable to a >`scratch` directory in your AUTOEXEC.BAT file. This tells DOS to put >temporary files created by file redirection in that directory. For >example, create a directory named "C:\TEMP" and then add the line >"SET TEMP=C:\TEMP" to your AUTOEXEC.BAT. > Correct me if I'm wrong, but temporary files created by DOS are redirected with the TMP variable, not TEMP. Windows and a lot of other programs use the TEMP variable, though. You may want to include both in your autoexec.bat file. - --+-------------------------+--------------------------------------- Marco Foss | Voice: +47 22 18 75 63 PC & Network support | Fax: +47 22 18 75 30 SiO IT, OSLO, Norway | Email: mfoss@sognsvn68.sio.uio.no - ----------------------------+--------------------------------------- ------------------------------ Date: Wed, 05 Oct 94 08:58:20 -0400 From: Bob Bales <74774.1326@CompuServe.COM> Subject: Re: F-PROT 2.14 is out (PC) The latest version of F-PROT is always maintained in LIB 4 of the NCSA forum on CompuServe. Other products that are kept up-to-date include the McAfee suite, I-MAST, SafetyNet products, TBScan, AVScan and others. I apologize in advance for any oversites! NCSA has also started compiling all Virus-L digests into a monthly HyperText database. These are also available in LIB 4 with file names VL9407.ZIP, 08.zip, 09.zip,etc., with all of the files for the year in file VL94.ZIP. NCSAFORUM is also a good source for on-line virus help. The virus section is moderated by Dicky Ford (Virus Bulletin) and Charles Rutstein (Price Waterhouse). Other areas in the forum address PC/LAN security, UNIX/InterNet Security, Encryption, EDI, Privacy/Ethics, and more. To access the NCSA InfoSecurity forum, type GO NCSA at any CompuServe prompt. - -- Bob Bales | CompuServe InfoSec Forum: GO NCSA Natl Computer Security Assoc| Phone: 717-258-1816 10 South Courthouse Avenue | Fax: 717-243-8642 Carlisle, PA 17013 | Email: 74774.1326@compuserve.com ------------------------------ Date: Wed, 05 Oct 94 09:47:07 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Re: symptoms: Insufficient mem to shell to DOS (PC) alan@newsserver.trl.OZ.AU (Alan Christiansen) writes: >I realise asking a question here is abit premature as the fault could >be anything but I have some important data in that box and important >work to do on it and this symptom has just kind of appeared out of >nowhere, and I have no idea how I could have messed up my system to >give it these symptoms, so I am a little worried something else may >have messed up my system. > >Symptoms : > >I have a 486, with 16M of RAM. I am running windows 3.1 in enhanced >386 mode, I have 13566K of swap file, I have sufficient resources to >run lots of windows apps, I have > 570K of conventional memory free >before going into windows, BUT...... > >If I try to run Command.COM windows says insufficient memory try >closinng some windows apps and try again. There are however no windows >apps running ! > >So how did I wreck the system ? (ie what silly thing did I do ?) >I have No idea. > >Does anybody have any idea how this can happen to a system ? > >ie. Is there a virus that can have this side effect. > >Alan (the totally perplexed.) > >- -- >#include >My employer may or may not agree with anything I say. >I may or may not agree with anything I say. >etc ... (nil bastardo carborundum) > > Try looking at how much memory your allowing for Dos Windows. In the control panel, you will se time slice, in the 386 Enhanced area. Also look at your System.ini for INT 28 Critical settings. I suggest that you get a program like WinCkeckit -Zep- ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 84] *****************************************