VIRUS-L Digest Wednesday, 19 Oct 1994 Volume 7 : Issue 86 Today's Topics: Re: How does one become a "respectable" researcher? [Technical] Where can I find detailed tech info on viruses? Researching Viruses.... (and Netcom) Need Info... Anyone help Please Re: GOOD vs. BAD HUH? Re: MBR Virus and OS/2 with HPFS (OS/2) Re: VGA Mode scan -> Blow a monitor? (fwd) (PC) Virus Info Request - DOOM II (PC) trust which anti-virus? (PC) Re: Whisper Virus question (PC) Anti CMOS virus - help! (PC) New Virus or Scandisk Problem? - (PC) AV Kit comparison texts? (PC) Re: Honecker ??? (PC) (Help needed) Help I have contracted Taipan (PC) Destructive Unknown Virus (PC) Stealt_boot.C (PC) _need_ to trigger virus checker (PC) Re: Opinions on Intel LanProtect Antivirus (PC) New Virus? "qbasic.exe infected by &^@#@%)_ virus" (PC) Help! How to get rid of BFD virus? (PC) Boot sector virus won't die (PC) GenB Virii (PC) Need help with Innoc.zip (PC) F-Prot under windows (PC) Stoned.Angelina (PC) Re: How to Remove a swiss virus from the partition table? (PC) Re: .EXE infection: How is it possible? (PC) Re: Can a master boot record be repaired? (PC) Filler and Anti-Tel Viruses (PC) Yale Virus questions (PC) Re: Floppy boot sector replacement (PC) Re: Filler and Anti-Tel Viruses (PC) virus - can't happen to me (PC) STELBOO (PC) Is this virus/trojan? (PC) Re: VIRUS INFECTION - (PC) What is UX.7264? (PC) BSVs and F-PROT/VIRSTOP ( (PC) unknown virus (PC) RE: Goldbug virus (PC) Gene virus (PC) HELP! My PC seems to be infected. (PC) invb601.zip - The InVircible Anti-Virus Expert System v6.01 (PC) i_m231.zip - Integrity Master 2.31 antivirus/data integrity (PC) On the occasion of receiving the first advance copy of my new book VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 08 Oct 94 07:52:12 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: How does one become a "respectable" researcher? As I wrote in another note (which has not appeared yet - for some strange reason there is a two-week delay of comp.virus postings), I have for the time being mostly stopped posting to comp.virus, but I just *had* to respond to this one. dnikuya@netcom.com (dave nikuya) writes: >Can there be no middle ground, where a responsible entity can make >viruses available to adults willing to identify themselves and sign >a statement promising responsible use, to remain on file? sure there can, provided that certain requirements are met. I regularly get requests for virus samples from people I do not know. I usually reply with a description of my requirements...and in practice I almost never hear again from those persons. My requirements: 1) The person must be able to demonstrate a real *need* for virus samples. This is easy for those producing anti-virus products, but may be somewhat difficult for others. "I just want to learn more about viruses", or "I want to test some anti-virus products to decide which ones to buy" does not qualify. IN the first case there are some very good books around ... you don't really need viruses to learn about them and in the second case I recommend looking at a good independent test... doing a full-scale test is, after all, no something anybody can do in a few days. 2) The person must be able to safeguard those viruses, and be 100% responsible for any distribution from them. I would not send viruses to anybody who would have to obey orders from his superiors to give them to a third party. 3) If the viruses are requested by somebody in a university/company, I ask for a statement in writing from the head of the department, that the virus use is indeed authorized. >The real danger I see is that many people who are interested in >learning about viruses will have no legal way to do it. To begin with, you don't need virus samples to learn about viruses. It is possible to become accepted in the anti-virus field, without ever analysing a single virus. If anybody is interested, I could produce a list of subjects that anybody could write a paper on, with a good chance of getting it accepted at one of the virus-releted conferences....making the author much more likely to be accepted by the anti-virus community. >are interested in AV activities, but who have not established >themselves as members of this community. For example, Vesselin's >statement regarding Ludwig's CD-ROM: "most respectable anti-virus >researchers refuse to even take a look at it." Well, I bought it, and >I also subscribe to his newsletter. In other words, you are helping financing his activities. I have not seen this CD-ROM myself. I am refusing to buy it (I do not want to help him in his activities, which I consider higly unethical), I will not make a copy of it (that would be a copyright violation), but still I have a certain need for it ... people are going to expect my anti-virus product to detect the viruses on that CD-ROM....a serious dilemma. >It is not at all clear to me how an outsider becomes an insider in the >AV community. Must one work for a Fortune 500 company, or at a major >university? no, not at all.....one starts by demonstrating that (a) one has the required skills and (b) is trustworthy. >Is there some professional organization that I can join which >will allow me access to the virus libraries even though I am not a >Ph.D.? No. However, let me ask you a question. You said you had bought the CD-ROM ... fine, that means that you now have a bunch of viruses...maybe not quite as many as some other people, but at least you qualify as a "virus collector" :-) Now, how do you plan to use this to do any *virus research* that would get you accepted into the community ? >merit. However, it seems that many of the insiders are setting up >criteria that will guarantee that outsiders remain so indefinitely. Not indefinetely, but people have to be serious about what they do to be accepted by the "insiders", including myself. Let me sum up my opinion as follows: "Having a large virus collection is neither sufficient nor required to be considered a virus researcher" - -frisk ------------------------------ Date: Tue, 11 Oct 94 09:56:31 -0400 From: "E.J. Draper" Subject: [Technical] Where can I find detailed tech info on viruses? I'm looking for background information and technical details of virus (or pseudo virus) algorithms. Thanks ------------------------------ Date: Tue, 11 Oct 94 00:50:33 +0000 From: ccarroll@atlas.otago.ac.nz (ccarroll) Subject: Researching Viruses.... (and Netcom) For two or so years I have be reading this group (on and off), because of my interest in viruses. Finally I have found the code of an old virus (marauder). I have since disassembled that virus, and commented it myself the best I can. According to F-PROT 2.14 this is a very simple and common virus, yet it took me two years to find it. I am quite interested in researching viruses (for want of a better phrase), yet I am unable to find any code, or even any examples because the powers that be have decided the code should be restricted only repsected researchers. How do I get to be regared as a respected researcher? Disassemble viruses, and let people know how to protect themselves. How do I get have a look at these viruses? Become a respected researcher! It is a no win, catch 22 situation for people like me. In situations like at Netcom, beginners, and novices like myself are be allowed to find out how viruses work, what they do, and how to protect against them. I know there are a few malicious people out there who will be using this code for the wrong purpose, but why should the rest be forced to use underhand (possibly illegal in some cases) tactics to get code. Well that is the end of my moan for the day (and the year), so if there is someone out there who feels that they can trust me enough: Can you tell me where to get the virus code from NETCOM!? (please) Regards, Chris Carroll ccarroll@atlas.otago.ac.nz University of Otago, Dunedin, New Zealand. ------------------------------ Date: Wed, 12 Oct 94 10:43:14 -0400 From: jacdr94@octarine.cc.adfa.oz.au (JACKSON DAVID REID) Subject: Need Info... Anyone help Please Hello, I'm new to this group, but I am very interested in the operation of computer virus. I was wondering if anyone knows where further readings are available concerning the development, coding, operation,variants (especially morphing virus). Please post or email any information available. Thanks In Advance Dave. =============================================================================== c/- 22Div David Jackson LIFE IS TOO SHORT TO DRINK CHEAP BEER Australian Defence Force Academy Northcott Drv. email :- Jacdr94@octarine.adfa.oz.au Australia. ACT 2601. =============================================================================== ------------------------------ Date: Wed, 12 Oct 94 15:40:30 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: GOOD vs. BAD HUH? > one does have to invite KOH to install itself. to get it to set itself up > on your hard drive, you have to first install it on a floppy disk and then > boot using that floppy. it then asks you if you want it to install. its > pretty hard to do this by accident. I said No. It installed anyway. Then it trashed a floppy without asking permission. Not nice.. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 35 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTX PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 09 Oct 94 16:00:40 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: MBR Virus and OS/2 with HPFS (OS/2) David M. Chess (chess@watson.ibm.com) wrote: > > From: tnmanego@rrws1.wiwi.uni-regensburg.de (Thorsten Manegold) > >I'd like to know what a Boot Sector/MBR Virus (like PARITY-B) can do > >under OS/2 especially if the HD is formatted with HPFS. Does it get > >activated when OS/2 starts via the Boot Manager? ... Interesting answer you gave.. I have obtained OS/2 2.99 beta (talk about buggy software :-) ) and have (painfully (twice)) installed it on my PC. I am using boot manager to choose between dos and os/2. Now bootmanager replaced my previous MBR, which was put there by ThunderByte, as a form of protection against MBR infectors. I intend installing Hendrik Stroems MBR checker now. What exactly does boot manager do to the MBR, as when I ran PCTools Diskfix (v6) it bitched that the partition info was wrong/corrupted etc and may give problems. Lastly, and slightly off topic, why does bootmanager need 2 Meg disk space? Thanks :-) Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 35 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 09 Oct 94 08:29:59 -0400 From: Iolo Davidson Subject: Re: VGA Mode scan -> Blow a monitor? (fwd) (PC) There was an exchange here recently about the possibility of viruses damaging hardware. The below is the first report I have ever seen which came first hand from someone who has actually experienced this. He has also determined the (reproducable) cause. - --------------------------------- cut here ----------------------------- From: sde0015@tu-harburg.d400.de (Joern Sierwald) Newsgroups: comp.os.msdos.programmer Subject: Re: VGA Mode scan -> Blow a monitor? Date: 7 Oct 1994 13:43:43 GMT Organization: Technische Universitaet Hamburg-Harburg, Germany Reply-To: Sierwald@tu-harburg.d400.de In article <781466133snz@mist.demon.co.uk>, iolo@mist.demon.co.uk (Iolo Davidson) writes: |> In article <36u9gv$8t9@goanna.cs.rmit.oz.au> |> darren@arcadia.cs.rmit.EDU.AU "darren mcrostie" writes: |> |> > Many people have told me that this could cause damage to monitors |> > without any protection circuitry. Is this so? What experiences |> > have people had with this? Is it just an old programmers tale? |> |> It is probably a myth. If it ever wasn't a myth, then the |> monitors which could be damaged this way are now obsolete. This |> story crops up occasionally in comp.virus, but never as a first |> hand experience. I have a first hand experience. I got a 64kHz Monitor and an ET4000W32i VGA Card two months ago. The Monitor is damaged (a power transistor in the horizontal amplifier is being destroyed) every time the program dmode.exe is run. This program apparently switches through the VGA modes before displaying a menu, and the 1280x1024/60Hz resolution destroys the monitor. You might say "But 1280x1024/60Hz sould be possible on a 64KHz Monitor", but the docu says no. The Monitor is a cheap chinese one, the name doesn't matter here. Joern Sierwald - --------------------------------- cut here ----------------------------- ------------------------------ Date: Sun, 09 Oct 94 20:55:57 -0400 From: nisk115%albnyvms.BITNET@uacsc2.albany.edu Subject: Virus Info Request - DOOM II (PC) covered, but I need this information badly. Where I work, a pirated copy of DOOM II was installed and within a couple days, the Windows directories of 5 machines had been trashed. I began to hear rumors of a DOOM II virus and then today, read a note of someone describing the exact same problem I had with the Windows directory. This "virus" (I don't know if it is a virus or not) seems to only affect certain computers as other computers that have DOOM II installed have not had any problems yet. I'm really at a loss as I have tried scanning with Norton Antivirus 3.0 (with newest def's), McaFee's SCAN, and F-Prot 2.14...none of which reported a virus. Does anyone know of any info on this "virus"? Specifically I would like to know if there is any Anti-Virus software that can detect/repair it. Thanks in advance... ------------------------------ Date: Sun, 09 Oct 94 23:56:36 -0400 From: engp3002@leonis.nus.sg (Wu Hu) Subject: trust which anti-virus? (PC) Hello, friends I used both F-Prot and McAfee virus scanning software got from their ftp sites. the problem was that when I use McAfee scan (version 117) my hard disk, no any virus was found, but for F-Prot scan (version 2.14), the message for Master Boot Sector was 'Possibly a new variant of AntiCMOS'. Which one is correct? Thanks in advance. Wu Hu ------------------------------ Date: Mon, 10 Oct 94 01:05:25 -0400 From: John Brack Subject: Re: Whisper Virus question (PC) Hi, in the last week ive discovered 5 of my files were infected by the WHISper virus. i have NOT found a cleaner to remove them. i had to delete the files and restore from floppy. ------------------------------ Date: Mon, 10 Oct 94 02:03:11 -0400 From: Simon_Cheung@kcbbs.gen.nz (Simon Cheung) Subject: Anti CMOS virus - help! (PC) Scan V.2.1.1. had found the "Anti CMOS" virus on one of my systems. While Scan is able to identify the problem, it couldn't remove it as yet. As far as I have learn form Scan, this infects the master boot record of the system. Does anyone know more about what harm this virus could do, and more importantly, how to remove it? I really want to hear from you. Any help greatly appreciated! S.C. ------------------------------ Date: Mon, 10 Oct 94 06:01:52 -0400 From: Johnson_B.MARL@rx.xerox.com Subject: New Virus or Scandisk Problem? - (PC) Unfortunately this information is second hand but I can get hold of =BA= infected=BA file(s) if necessary. The information I have is the virus is identified as FORM b= y Norton and Microsoft antivirus (not my choice). The infected files included confi= g.sys, multiplan files, windows, wordperfect for windows. Unfortunately Scandisk was run on th= e hard drive before the scans were done. The infected files were all 536Megs in siz= e (not exact size) and the names had been changed to alternating upper and lower case lett= ers. Because of the size of these files they could not be deleted so the solution taken= was to format the hard drive, for better or for worse. This infection= had spread to three different PCs and a few floppies. Although this information is sketchy and second hand I have a few qu= estions: - Is there a new destructive variety of FORM which is a file infe= ctor as well as a boot sector infector or did Scandisk create the mess? - I guess there is also a possibility that the PCs had multiple i= nfections, something I have been coming across more frequently lately. - Is there a way around the delete problem, something I was not p= reviously aware of. Booting with a clean diskette containing clean config.sys, etc. apparen= tly could not overcome this problem as the operating system cannot delete a file of t= his size. - The anti-virus software could not remove the infected files. Any information greatly appreciated. Regards, Brian ------------------------------ Date: Mon, 10 Oct 94 06:22:47 -0400 From: gabriel@werple.apana.org.au (gabriel white) Subject: AV Kit comparison texts? (PC) G'day peoples, I was wondering if there are any other AV package comparisons of note other than the one ICARO puts out? thanks, gabriel - -- "Information wants to buy fleas!" .oooO "Nah, it doesn't sound right" ( ) gabriel@werple.apana.org.au "Stuff this. Let's get lunch" \ ( "Okay" \_) ..now I've put my foot in it ------------------------------ Date: Mon, 10 Oct 94 10:53:20 -0400 From: thiessen@iee.et.tu-dresden.de (Thilo Thiessenhusen) Subject: Re: Honecker ??? (PC) (Help needed) A friend got Honecker. She said it will show a portrait of Honecker and play the East German national song. autoexec.bat and config.sys disappear. Does someone know a cure ? Thilo ------------------------------ Date: Mon, 10 Oct 94 13:54:10 -0400 From: au869@freenet.carleton.ca (Alex Chesser) Subject: Help I have contracted Taipan (PC) hi, i have contracted the taipan virus and was wondering if there is a place where i can find FAQ's and other info on what this specific virus does ... does anyone here know? please send responses via e-mail - -- o o o o o o o o o o o o o o o o o o o o o o o o o o o ------------------------------ Date: Mon, 10 Oct 94 14:46:41 -0400 From: garcia@bkfsu1.sedalia.sinet.slb.com (Geoframe User) Subject: Destructive Unknown Virus (PC) A friend of mine runs a computer repair business here in Bakersfield. He tells me that he has seen the fallout of a new virus (or maybe trojan, I suppose) that has hit several of his customers. He's never seen the virus itself, only the results. Apparently the virus trashes the boot sector and writes lowercase "z"s in the volume label. This means he can't get to it with FDISK, since you need to type in the volume label as a safety feature. Because the disks he's seen have been inaccessible, he has no way of knowing which virus might be doing this, but he's seen it on several different computers. Anybody recognize these symptoms? What virus should we be looking for? - -- Steve Garcia garcia@bakersfield.geoquest.slb.com ------------------------------ Date: Mon, 10 Oct 94 19:03:09 -0400 From: yury@casbah.acns.nwu.edu (Yury Krongauz) Subject: Stealt_boot.C (PC) Hi, I had some diskettes diagnosed to have Stealt_boot.C by f-prot. I cleaned and reformatted all the diskettes except one, but the virus was not found on the hard drive (Using msav,f-prot). Could you please give me some advice of what steps I should take to make sure that everything is ok and hard drive is really clean. Also, I understood that it's a bsv virus. How does it work, and what are the symptoms - any help would be greatly appreciated. Yury Krongauz ------------------------------ Date: Mon, 10 Oct 94 19:50:27 -0400 From: Iolo Davidson Subject: _need_ to trigger virus checker (PC) elyja@kocrsv01.delcoelect.com "Jeff Ely" writes: > So that's my case for needing a trigger for anti-virus products - > and as I said, the ideal place for that to come from would be the > writer of the anti-virus package. But if they don't provide it, > that kind of leaves me in the cold. So - is there any help for > me? If not, I'd at least hope that some anti-virus product > makers would recognize this need (I understand that some of them > do provide something like this). Yes. Dr. Solomon's comes with information about how to make "installation test" materials in both file and disk form. These will cause the scanner and resident scanner to issue a report of a "test" being found, thereby allowing you to test reporting facilities. The test materials are not actually provided on disk, because they can cause confusion when people are not expecting them. Since you must make them yourself (with an editor) you only get the "test" report when you are expecting it. I believe FProt has a similar facility. - -- SINCE HUBBY HE'S 1/3 MAN TRIED AND 2/3 BRUTE THAT SUBSTITUTE Burma Shave ------------------------------ Date: Mon, 10 Oct 94 19:50:36 -0400 From: Iolo Davidson Subject: Re: Opinions on Intel LanProtect Antivirus (PC) grettir@keflavik.wordperfect.com "Grettir Asmundarson" writes: > Does anyone have any opinions about Intel's LanProtect Antivirus. There > is a push to make LanProtect the anti-virus standard at my place of work. > I'm not familiar with Intel's product. I am familiar with most other > virus protection software packages, and would love to see us go with > Net-Prot and F-Prot Professional, but I need some ammunition before I > start bucking the system. Virus Bulletin (October) just did a comparison review of NLM anti-virus products. Intel and Net-Prot achieved very similar high marks except for polymorphic detection, where out of 600 samples Intel found 27 and Net-Prot found 462. - -- SINCE HUBBY HE'S 1/3 MAN TRIED AND 2/3 BRUTE THAT SUBSTITUTE Burma Shave ------------------------------ Date: Mon, 10 Oct 94 20:09:57 -0400 From: mjs@eskimo.com (Mark Sullivan) Subject: New Virus? "qbasic.exe infected by &^@#@%)_ virus" (PC) I don't know if this is a virus or some unexplained glitch in my machine. I run MS-DOS 6.2. I have F-prot 2.13a with VIRSTOP installed in memory from the config.sys file. I wanted to verify the syntax of a DOS command, so I attempted to use the "help" command. After much garbage on the screen and a lot of beeping, I got the return message: "unable to locate QBASIC.EXE" I had accessed the help function of DOS earlier in the day, and thought this was odd. I switched to the c:\dos directory, and qbasic.exe was there. I ran help again. This time I got a different set of garbage and beeping, but it ended with the word "virus". I ran help again, with pause, to try to read the garbage as it flew by. It stated: "QBASIC.EXE is infected with the [bunch of garbage for several lines] virus." [The garbage was a bunch of nonsense - words in diagonal lines, ASCII symbols, etc.] I ran F-prot 2.13a, scan only, from the hard disk, but it did not report any infection. I again ran the DOS "help" command, and got the same result, BUT WITH A DIFFERENT SET OF GARBAGE. [The garbage was a bunch of words d o u b l e s p a c e d l i k e t h i s, written on every other line. It looked similar to computer code, i.e, "go to the Re: line, print first page, etc." I'm sorry, but I can't remember the exact words. Also, a bunch of ASCII symbols were mixed in.] I then ran MSAV, detect only, which reported a change of two months ago to my CONFIG.SYS file. I stopped MSAV to look at config.sys. All seemed in order in that file, except that the last line is: SHELL=C:\DOS\COMMAND.COM C:\DOS /p I don't remember making that change. I also don't know why this line is in the config.sys file, as command.com is also in the root directory, and there is no reason to go to c:\dos to access it. I ran the "help" command again, and got the same result, BUT WITH A THIRD SET OF GARBAGE. [The garbage this third time appeared to be a list of various directories on my hard disk, in all caps, interspaced with ASCII codes and symbols, but also including words such as "AUTOEXECBATCH FILE" and other such words that could not have been directory names.] I checked the qbasic.exe file, and noted that its date and time stamp was the same as other DOS files (3-10-93 6:00 a.m.) and the file size is 194,309. I then scanned c:\dos\qbasic.exe only with F-prot 2.13a. Again a negative report. I then ran MSAV on the entire disk, telling it to continue past the config.sys alert. No other alerts were given (other than a false positive that it ALWAYS reports on my communication program log file, which I have learned to overlook). I then ran the "help" command a fourth time, and this time, all worked properly. No symptoms of a virus at all. I subsequently ran F-prot 2.13a from a write-protected floppy, on the entire hard disk, both secure scan and heuristic scan, and also found nothing. Same report as running it from the hard disk. A couple of questions: 1. Do I have a virus? Why do I get negative reports from F-prot and MSAV? The only "report" of a virus comes from running a DOS command to access the file itself. Is this some built in "report" of DOS if there is some memory glitch or other access problem, or is this report coming from Virstop? If so, why did running F-prot itself in scan mode not detect a virus? 2. Why did this show up, then go away, without any work on my part? I only ran scans, never a disinfect. 3. What should I do about all this? Is this just some strange aberration, or is there some stealth virus lurking about on my system? I noticed earlier today that F-prot 2.14 is now out. I will download that and see if I can detect anything. But one question: If my machine is infected, won't downloading to it potentially corrupt F-prot 2.14? Any help will be appreciated. All seems to be working now, but this was very strange behavior. I've been using MS-DOS 6.2 for 6 months now, with no problems. I'm baffled, and a little concerned about rebooting at this time. Mark Sullivan mjs@eskimo.com ------------------------------ Date: Tue, 11 Oct 94 01:34:43 +0000 From: hassan@isl.mei.co.jp (Toorabally Hassan) Subject: Help! How to get rid of BFD virus? (PC) Hi. My PC at work as well as the one I have at home seems to be infected with the BFD virus. I had been using a year old version of Norton Anti-Virus protection however it did not detect this virus. However the Anti-virus program packaged with IBM-PC DOS 6.0 (IBMAVD.EXE) as well as the one packaged with MS-DOS 6.2 (MSAV.EXE) both reported it when I ran these. It seems to affect *.EXE and *.COM files. However although these AV programs were able to detect the virus, I cant disinfect the infected files using them. The most that MSAV does is to rename the files. I renamed the infected files, and then for all the infected files I re-installed them from the original MS-DOS6.2 diskettes (expanding them). After re-installing the size of the files I reinstalled matches the size of the ones that were infected, although I think the infected files shoud be 449 bytes longer as the BFD virus signature is 449 bytes long. After deleting the infected files I once again ran MSAV and again it says the new files that I re-installed were infected. Does anyone know of a way to get rid of this VIRUS? Thanks BTW one of the programs that MSAV says is infected is the mem command. (mem.exe) However I have been using this command quite a lot without any problem. Another file that is infected happens to be SETVER.EXE. When I load this in my config.sys, my PC hangs after executing it when booting. - ------------------------------------------------------------------------------------ Hassan Toorabally Matsushita Electric Industrial Co. Ltd. Osaka Japan. Tel:06-906-4929 E-Mail:hassan@isl.mei.co.jp ------------------------------ Date: Mon, 10 Oct 94 22:06:00 -0400 From: tvilla@uniwa.uwa.edu.au (Tim Villa) Subject: Boot sector virus won't die (PC) F-Prot's "virstop" TSR is telling me I have an infected boot sector. I have repeatedly re-installed DOS hoping to overwrite this and the f-prot.exe is telling me the disk is clean. However, the TSR still reports the virus being there. No name is reported and there are no symptoms that I am aware of. The thing is very contagious though! Any ideas on what I might do short of reformatting? Tim - -- - -------------------------------------------------------------------------------- Tim Villa YTTP 15:27 tvilla@uniwa.uwa.edu.au Computer Support, Dept of Civil Engineering, The University of Western Australia - -------------------------------------------------------------------------------- ------------------------------ Date: Tue, 11 Oct 94 01:15:14 -0400 From: st46v@rosie.uh.edu (Lynch, Scott A.) Subject: GenB Virii (PC) Question : How would you 'extract' (for lack of a better word) a GenB virus from a floppy safely? (i.e. to a ZIP file or something) Would using something like Teledisk do it? (just thought of that.. ) Please respond via e-mail. ------------------------------ Date: Tue, 11 Oct 94 01:47:03 -0400 From: med10038@leonis.nus.sg (LEE TERH LOON) Subject: Need help with Innoc.zip (PC) I tried "innoculating" my 3.5" disks with an anti-virus programme in innoc.zip. I am now unable to access all my valuable info on these disks!! :( Will someone PLEASE help me?!! ------------------------------ Date: Tue, 11 Oct 94 12:50:35 -0400 From: Jeffrey Rice Subject: F-Prot under windows (PC) Can anyone tell me what Virstop's virus-detection message looks like under Windows? I haven't been running Windows much, and the only times Virstop has caught viruses I've been in DOS. Any info would be appreciated. /--------------------------------------------------------------------------\ | Jeffrey Rice | "The man who ...is not moved by concord of sweet | | Pomona College | sounds is fit for treasons, stratagems, and | | Claremont, California | spoils. Let no such man be trusted." -WS | \--------------------------------------------------------------------------/ ------------------------------ Date: Tue, 11 Oct 94 12:55:48 -0400 From: k3007e1@cxmeta.edvz.uni-linz.ac.at (Siegfried Huber) Subject: Stoned.Angelina (PC) Has anybody ever encountered Stoned.Angelina ?? How do I remove it ? Seems to be a newer version of other Stoned-viruses. MSAV, CPAV haven't worked on it yet. Sigi ------------------------------ Date: Tue, 11 Oct 94 14:47:10 -0400 From: c-cook@ux5.cso.uiuc.edu (cook cornelius john) Subject: Re: How to Remove a swiss virus from the partition table? (PC) Tony Castillo wrote: > No, I'm not having a good day... Just want to ask everyone on how >I can remove a swiss virus from the Partition table without low leverl If you're not using any special partition code, you can just run fdisk /mbr to replace your master partition code. I would suggest downloading a virus protection program known as thunderbyte. They have virus-detecting partition code. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Cornelius "Case" Cook c-cook@ux5.cso.uiuc.edu cocook@nyx.cs.du.edu I speak for nobody but myself and my pet frog. "The devils of truth steal the souls of the free." - ]\[ i ]/[ DASA ------------------------------ Date: Tue, 11 Oct 94 14:52:10 -0400 From: c-cook@ux5.cso.uiuc.edu (cook cornelius john) Subject: Re: .EXE infection: How is it possible? (PC) Diego Montanez wrote: > I have a question: how does a virus manage to attach itself to > an executable file (.COM, .EXE) and still the executable can > be run (of course, after the viral code has been executed)? The easiest way to show this is with the COM files (they're simpler) the 'standard' com infector will replace the first few bytes of a com file with a jump command. It will jump to the end of the com file (the code it's added on at the end) and run the virus code. then it will replace the first few bytes to whatever they were before the com was infected, and jump back to the beginning of the com file (in memory) and run just like nothing ever happened. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Cornelius "Case" Cook c-cook@ux5.cso.uiuc.edu cocook@nyx.cs.du.edu I speak for nobody but myself and my pet frog. "The devils of truth steal the souls of the free." - ]\[ i ]/[ DASA ------------------------------ Date: Tue, 11 Oct 94 16:14:37 -0400 From: c-cook@ux5.cso.uiuc.edu (cook cornelius john) Subject: Re: Can a master boot record be repaired? (PC) Peter Kauffner wrote: >PC has had in the last several months is JPG and GIF files downloaded off of >Usenet. Is this a possible source of infection? The only ways you can get infected with virii is through CODE. Gif and Jpg files are data, read by displayers. Boot sectors, Exe, Com, Ovr, Sys, and partition sectors are the things that virii can infect. However, if I'm wrong, someone please correct me, because I'd love to know what other sources are. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Cornelius "Case" Cook c-cook@ux5.cso.uiuc.edu cocook@nyx.cs.du.edu I speak for nobody but myself and my pet frog. "The devils of truth steal the souls of the free." - ]\[ i ]/[ DASA ------------------------------ Date: Tue, 11 Oct 94 16:36:43 -0400 From: Iolo Davidson Subject: Filler and Anti-Tel Viruses (PC) dmbarley@midway.uchicago.edu "David M. Barley" writes: > I recently had a machine and several installation disks die > because of a virus. First, msav detected the ani-tel virus and then it > dies. Then, I boot off of a clean disk and run scan. Scan sees nothing > and tells me my disks is clean. Finally, I reboot from my hd and run > everything again. Msav sees nothing, and scan tells me I have the filler > virus in memory and to reboot and scan again. When I do, nothing is > detected...What should I do... Stop using MSAV. - -- SINCE HUBBY HE'S 1/3 MAN TRIED AND 2/3 BRUTE THAT SUBSTITUTE Burma Shave ------------------------------ Date: Tue, 11 Oct 94 16:36:50 -0400 From: Iolo Davidson Subject: Yale Virus questions (PC) ah861@Freenet.HSC.Colorado.EDU "Ken Elliott" writes: > Several times in the last few months I have gotten > a flash: "Yale Boot Virus" when I have taken one of > my disks to a nearby Kinko copy shop computer.... > I read a little about the Yale in a book and it says > it actually goes to the ROM and lodges there and > is activated only when one uses the Control AlT > Delete key sequence as in resetting.. Destroy that book. > any suggestions on what to do about this without > costing a fortune? Get some anti-virus software. FProt is free for personal use. - -- SINCE HUBBY HE'S 1/3 MAN TRIED AND 2/3 BRUTE THAT SUBSTITUTE Burma Shave ------------------------------ Date: Tue, 11 Oct 94 22:48:31 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Floppy boot sector replacement (PC) wrote: [stuff deleted] ) I wrote such a utility in Turbo Assembler not too long ago. I )formatted two diskettes (high and low density) with dos 6, used debug to )dump the hex values to a text file for each, and declared them as )variables in the source code to the program. The program itself consists )mainly of an int 13 read to see if the diskette is high or low density, )and then a write for the corresponding boot sector image memory. I tried )it out on both bootable and non-bootable diskettes. Interestingly )enough, it cleaned the boot sector virus I was playing with (QRry/Essex) )fine, and furthermore did not change a bootable disk to non-bootable or )vice versa. It seems there is no difference in the actual boot sector of )a bootable disk versus a non-bootable disk, rather it seems the )difference lies in the existence of the system files (typically io.sys )and msdos.sys). Note that this program was done for a rather specific )purpose, and is not really meant to work with DOS 2.0 or DRDOS or )anything like that. Also, I have not made it public domain or )copyrighted it or anything...anyone know how to go about doing this, )incidentally? :) ) Bill Sorry, Bill. What you did is neither sufficient nor legal. You effectively stole someone else's boot block. So much for legality. While it is true that the differences in bootable/non-bootable floppy discs is indeed -not- the boot block, there are -different- boot blocks around, and they are not interchangeable. The system files (usually named things like IO.SYS and MSDOS.SYS or IBMBIO.COM and IBMDOS.COM) names are embedded in the boot block. So for a bootable disc, you have to know the names of the files used by the OEM supplier of the specific version of MSDOS. So much for sufficiency. Another problem with it is that the volume ID and and serial numbers for all of your "repaired" discs will be the same in the boot block, and the volume ID probably will not match any which may be in the root directory. Not a good thing. It is far better to find the original boot block on the diskette and copy it back where it belongs. This restores everything (except for the overwritten sector containing the saved copy of the boot block) back to its original state. Nice try, though. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 12 Oct 94 01:07:52 -0400 From: h9218757@hkuxa.hku.hk (Alan K.L. Wong) Subject: Re: Filler and Anti-Tel Viruses (PC) David M. Barley (dmbarley@midway.uchicago.edu) wrote: : I recently had a machine and several installation disks die : because of a virus. First, msav detected the ani-tel virus and then it : dies. Then, I boot off of a clean disk and run scan. Scan sees nothing : and tells me my disks is clean. Finally, I reboot from my hd and run : everything again. Msav sees nothing, and scan tells me I have the filler : virus in memory and to reboot and scan again. When I do, nothing is : detected...What should I do... I have the same problem with Filler. It really puzzles me a lot and the comp.virus FAQ gives me no idea of what I can do. Would any computer experts out there kindly help me solve the problem? - ------------------------------------------------------------- Alan the Prostist > < ALL RIGHTS Professional Diplomat, Minesweeper & Dreamer U RESERVED - ------------------------------------------------------------- ------------------------------ Date: Sat, 08 Oct 94 22:42:18 -0400 From: GEORGE ALLEN Subject: virus - can't happen to me (PC) We were experiencing an extremely large numbe of floppy disk failures. Sending boxes to 3m for replacement, receiving boxes back. Did not have virus detection enabled. Floppy disks were unreliable, most has 1024 bytes bad. Enable virus detection under DOS. Found the "form" virus. Cleaned the hard disk and floppies. No problems since. Yes it can happen to you! George cavebat@delphi.com ------------------------------ Date: Wed, 12 Oct 94 12:11:15 -0400 From: "Huey, Terry" Subject: STELBOO (PC) We have had an out break of the STELBOO virus at our location and need any and all valid information concerning this pc virus. ------------------------------ From: hoenie@radlab.ucsf.EDU (Hoenie Luk) Subject: Is this virus/trojan? (PC) Hi all: About three weeks ago, I was checking out some files downloaded from a BBS and all of a sudden, the computer hung. So I simply reboot the computer and did the procedure again. But the computer hung at the same spot. After that, I found many strange things about my computer, including: 1. Many TSRs that load high would load low now (I use Netroom 3). 2. When trying to start Windows, I got the windows logo and the DOS prompt is returned to me in a couple of seconds. 3. When trying to VPIC, I'm dropped back to DOS right away. 4. The strangest of all, when I copy some files using the DOS copy command, the dates of the files (including original and target files) all turn to 03-07-91 2:01. Is there some significance to this date? 5. When trying to run program on a write-protected floppy, I get a write-protect error, even though I'm pretty sure there should not be any writing on the floppy. Does the symptom sound like a known virus or trojan? By the way, I used the June version of McAfee Scan and Norton Antivirus 3.0 (September signature) to scan the whole hard drive and both reported no virus found. ..........Hoenie ------------------------------ Date: Wed, 12 Oct 94 14:40:11 -0400 From: Pat Dillon Subject: Re: VIRUS INFECTION - (PC) bpwarner@csupomona.edu "Brian Warner" writes: > I thin4 my pc might be infected with a virus. My virus checher > dosn't detect anything, but I have some strange symptoms. Three > of my 4eys are returning incorect va5ues, as you can see. 5 and > 4 are two examp5es of said errors. It seems from the text of your message that the substitutions are always the same (4 for k, 5 for l). If you have a Gateway 2000 computer with an AnyKey keyboard, you may have inadvertantly reprogrammed some of your keys. If so you can program them back by pressing the Remap key then pressing each of the misbehaving keys twice. This programs the key's original meaning onto itself. Consult the manual for your computer for more information. Hope this helps! Pat Dillon ====================================================================== Patricia M. Dillon | Internet: pdillon@ukcc.uky.edu Scientific Analyst/Programmer | BITNET: pdillon@ukcc Department of Entomology | Phone: 606/257-3571 S-225 Agri. Sci. Ctr. North | UNIVERSITY OF KENTUCKY | FAX: 606/323-1120 Lexington, KY 40546-0091 | ======================================================================= ------------------------------ Date: Wed, 12 Oct 94 14:53:50 -0400 From: DMATTOON@ix.netcom.com (DAVID MATTOON) Subject: What is UX.7264? (PC) A friend has detected the UX.7264 virus. I've looked at VSUM and back messages of this newgroup, but haven't found any information on this virus. Does anyone have information on this virus or could point me to a source of info? Thanks. ------------------------------ Date: Wed, 12 Oct 94 17:29:52 -0400 From: roger.ertesvaag@thcave.bbs.no (Roger Ertesvaag) Subject: BSVs and F-PROT/VIRSTOP ( (PC) * In a message to All on 10-03-94, Joe Lawrence said: JL> probably ignored by the majority of the subscribers anyway. Frisk, you have JL> a great product, yet you DON'T ANSWER MAIL. This differs from my experience. I sent mail to Frisk about a new variant of Junkie, and had the answer the day after. I think this is *very* impressing when considering the amount of mail he must get. RogEr -=-=-=[ roger.ertesvaag@thcave.bbs.no ]=-=-=- - --- > SPEED 2.0E #1486 > Who's General failure & why is he reading my drive C:? - ---- +-----------------------------------------------------------------------+ + Thunderball Cave BBS +47 2256 7018 / 2256 8809 (USR V.FC / V.FAST) + + -- thcave.bbs.no -- Oslo Norway -- + +-----------------------------------------------------------------------+ ------------------------------ Date: Wed, 12 Oct 94 21:47:16 +0000 From: jlivings@crash.cts.com (John Livingston) Subject: unknown virus (PC) I've got a friend that has a virus that mcaffee's and F-prot have not detected. He gets scrolling "o"'s diagonally across the screen over-writing any text ha may have on-screen. Anyone have any idea's? john ------------------------------ Date: Wed, 12 Oct 94 20:41:02 -0400 From: Zvi Netiv Subject: RE: Goldbug virus (PC) Hello Dennis, > Your post to VIRUS-L regarding Gold Bug virus said in part: > > >SCAN 117, F-Prot 2.14, Integrity Master 2.22, and TBscan 6.24 did not > > detect Goldbug, nor indicated suspicious activity. > > It was my impression F-PROT 2.13 did not detect Gold Bug, but that F-PROT > 2.14 does detect it (but not remove it). The virlist.txt indicates 2.14 does > find it. > > Was this a typo on your part, or have you actually used v2.14 against Gold > Bug in a test? I actually tested all the above with Goldbug, live. As I am in generic AV, there is no point in passive scanning as this is not what happens in reality. Goldbug has also a floppy boot phase (which I also forgot to mention in my post :). Once infected, the above programs will not detect Goldbug. As for PASSIVE scanning, you were right - FP 2.14 will find the spawn. The others if I recall didn't even detect it passively. There is no passive detection of the mbr infection - as the disk is inaccessible. I guess that we will get now some KILLGBUG programs, same as KILLMONK and KILL! :-) The detection of Goldbug spawns is trivial: Any EXE file starting with the three bytes 81 70 0C, is a spawn. Just erase and forget. The detection of an infected mbr is much more tricky, as it requires that there is a memory manager present and DOS declared HIGH in the config.sys. The mbr infection is effectively masked by advanced stealth techniques. Goldbug cannot be removed from files, as there is nothing to remove, they were overwritten - just erase! Actually only InVircible detects Goldbug while active, by the generic See Through technique, and removes it by active See Through recovery. Just the same as any other mbr spoofing infector. IV won't tell the virus name in the process, as it is not virus-specific. This is what generic is about. > > I don't know if Goldbug is in the wild. > > I have correspondence from one user who downloaded an infected copy of the > pirated DOOM2 (game) beta from a public BBS in Des Moines, Iowa, USA. (it > contained a dropper named DETECT.COM as well). As Goldbug is a quite capricious virus, I don't think it will really get widespread. There is no consensus as for "in the wild". For myself, in the wild means significant numbers of infections. Take Junkie, or Natas for example - these are in the wild. I agree it's somewhat subjective. > I would appreciate any further info on this subject you can provide. Maybe one additional detail: Goldbug is hostile to QEMM (stealing away some interrupt handlers that Qemm needs too). With Qemm 7.5 it will hangup loading DOS. If you attempt then booting from A:, then there is no access to the hard disk. As I said, capricious - and messy too. > Dennis.Clouse@ucop.edu > University of California > Office of the President Hope the above is helful to you. Best regards, Zvi Netiv, author InVircible ------------------------------ Date: Wed, 12 Oct 94 21:04:35 -0400 From: Zvi Netiv Subject: Gene virus (PC) On Wed, 12 Oct 1994, kent norman wrote: > Hello, I would like to check my system for this virus.How can I get you > scanner? > > Thank You > Kent Norman > kent_norman@ccmail.smtp.ast.com > ______________________________ Reply Separator _________________________________ > > Hi Kent: > > I suggest you sent a email to Mr. Zvi Netiv (Author of IVSCAN). > His Email address is ila2007@zeus.datasrv.co.il > > Good luck > Philip TONG > ______________________________ Reply Separator _________________________________ > Thanks for the reply > > Where do I get this IVSCAN ? > Kent > ______________________________ Reply Separator _________________________________ > Subject: RE: unknown virus? > Author:CL-28951@cphkvx.cphk.hk at Internet > Date: 10/11/94 11:16 AM > > > Received: by ccmail from ast.com > >From CL-28951@cphkvx.cphk.hk > Date: Tue, 11 Oct 1994 19:37:34 +0800 > From: CL-28951@cphkvx.cphk.hk > Subject: RE: unknown virus? > > Hi Kent: > > This is a new virus from china. It affects all the EXE files Only. > The name of the virus was Dailin.It was successful removed by > the AV called IVSCAN. > > Good luck! > > Philip TONG > CL-28951@cphkvx.cphk.hk > > >I see your post in Virus-l 7-81 > > > >Any update on the virus and how did you kill it? > > > >Thank You > >Kent Norman Hello Kent, The virus Philip Tong is talking about was named Gene, as a string in its text. Since InVircible is not a scanning product - it's a generic anti viral suit - I threw out Gene from IVSCAN as soon as Philip's problem was solved. IVSCAN is just a common and widespread virus scanner and remover (a couple of hundreds or so) and is the least important module in InVircible. :-) Since then, we announced version 6.01 with its generic correlation scanner, IVX, so that there is no need anymore to update IVSCAN with every stupid virus. IVX weeds out Gene, as well as probably most file viruses, regardless if known or new. The freeware version of InVircible (there is no separate IVSCAN package!) is available for ftp from: ftp.datasrv.co.il/pub/usr/netz/invb601.zip Good luck, Zvi Netiv, InVircible ------------------------------ Date: Wed, 12 Oct 94 21:27:55 -0400 From: gandalf@pipeline.com (Tom Neumann) Subject: HELP! My PC seems to be infected. (PC) In comp.virus e94mc@efd.lth.se (Magnus Carstam) said: >I've had vscan 1.17 checking and once out of 10 times it found MtE in a >file. I have not seen the virus since. But the virus was in the file >called 386swp or something in windows directory. >If it would have been the only infected file it must have been there from >the beginning. >Vscan 2.10 didn't find anything. This is probably a false alert, viruses go after several things but not swapfiles. > >Sympthoms: Clock is dragging behind. There may be many causes for this, software, battery, etc. > > Speed seems to be reduced. This could be caused by many fragmented files. > > Scandisk (ms) notices a few corrupted > files and have twice found large dataparts > not connected with anything. These occur quite often by improperly exiting programs or powering down before your diskcache has finished writing. > > Files with names like: > aabbbjju or something like it > (I don't remember the extension) is to be > found around the Hd each one taking up the > taking up 0k of space. Many shareware programs and games make these kind of files as "keys" especially "demo's" from various graphics/sound groups. > > I don't know if this is anything but I've > heard of a virus called cascade and > a checker of IRQ has given the following > results > IRQ2 Cascade -> IRQ9 > IRQ9 Cascade -> IRQ2. This is NOT a virus, on all PC's IRQ2 cascades to IRQ9 basically you have 2 groups of hardware IRQ's 0-7 & 8-15 and I believe this irq2<->irq9 link is what ties them together. > > >Equipment: > > 486dx2-66 Compaq. (1.8Gb scsi-2 D:) > (212Mb IDE C:) 12Mb memory > (SB16 SCSI-2) I suggest you run Nortons Disk Doctor and speedisk then check your system out with another Virus Scanner particularly one with an integrity checher like Integrity Master. - -- GANDALF ------------------------------ Date: Thu, 13 Oct 94 02:15:19 -0400 From: murphwar@futursoft.win.net (Jeff Murphy) Subject: invb601.zip - The InVircible Anti-Virus Expert System v6.01 (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ invb601.zip The InVircible Anti-Virus Expert System v6.01 InVircible v6.01 is a sophisticated and effective anti-virus product. InVircible is the only anti-virus package able to state that every single virus in the three known virus classes (Boot Sector, FAT/Directory, Executables) has been to date detected and removed -- a track record that dates back to the Fall of 1990. InVircible implements Adaptive Expert System (AES) technology that is able to absolutely detect viruses and then completely and exactly restore the infected executables, and doing this without needing to "know" or "name" the infecting virus. AES technology omits the costly need to obtain regular "updates", move your executables, run a TSR or device driver, install a hardware card, or worry about whether your anti-virus software "knows" the specific virus bugging your PC. Once InVircible secures an executable, you will absolutely know whether it has been attacked by a virus. All restorations are exact, so you can't tell that a virus infection had occurred. A scanner (which AES technology does not depend on) that doesn't need updating is included for those common viruses with a name. InVircible is effective against polymorphic, mutating, encrypted, and compound virus attacks. Special requirements: None ShareWare. Uploaded by the U.S. Distributor. Jeff Murphy murphwar@futursoft.win.net ------------------------------ Date: Thu, 13 Oct 94 02:15:22 -0400 From: 72571.3352@CompuServe.COM (Wolfgang Stiller) Subject: i_m231.zip - Integrity Master 2.31 antivirus/data integrity (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ i_m231.zip Integrity Master 2.31 antivirus/data integrity Integrity Master provides complete, easy to use, data integrity for your PC plus virus protection. It can also be used to provide file change management and security on your PC. As well as scanning for known viruses, it detects unknown viruses and unlike other products will detect files which have been damaged but not infected by a virus. IM checks and restores your CMOS including the new larger CMOS configuration memories found on most newer PCs. INTEGRITY MASTER PROTECTS YOU AGAINST ALL THREATS TO YOUR DATA AND PROGRAMS NOT JUST VIRUSES! Special requirements: None Changes: Virus scanner recognizes 385 additional viruses. Supports new "/ND" command line parameter for fast unattended scanning (e.g. BBS sysops). Redesigned screen display. Home directory now supported for report and sector related files. i_m231.zip has replaced i_m222.zip. ASP ShareWare. Uploaded by the author. Wolfgang Stiller Stiller Research 2625 Ridgeway St. Tallahassee, FL 32310 USA 72571.3352@CompuServe.COM / wolfgang@freenet.tlh.fl.us ------------------------------ Date: Tue, 11 Oct 94 14:36:46 -0400 From: "Rob Slade" Subject: On the occasion of receiving the first advance copy of my new book (Prescriptum - after the first screenful of contact info, the rest is a joke. My apologies for wasting bandwidth and your time, if you find it so, but *I* find this very exciting.) Please note that the following is a completely fair and unbiased review. I strive at all times to be even-handed in my reviewing. My vested interest in this work in no way can be said to influence my judgement. I mean, to say that just because I spent *THREE SOLID YEARS* writing it means I might have a biased opinion about it is a prejudiced opinion on your part, isn't it? :-) %A Robert M. Slade %C 175 Fifth Avenue, New York, NY 10010 %D 1994 %G 0-387-94311-0 or 3-540-94311-0 in Europe %I Springer-Verlag %O U$29.95 800-SPRINGER, fax 201-348-4505, ref. S965 %O (and the title was *NOT MY IDEA!*) %P 480 %T "Robert Slade's Guide to Computer Viruses" This is the most FANTASTIC virus book EVER WRITTEN! This is the most FANTASTIC virus book that EVER WILL BE WRITTEN!! The day this book was released the ENTIRE VIRUS WRITING COMMUNITY committed suicide from depression over the fact that no one would EVER BE HURT BY A VIRUS AGAIN! Book stores are advised to have LARGE STOCKS of the book on hand, prominently displayed, and probably to hire extra staff for the crush of buyers. Grown men have been known to pull their own liver out when told that they could not buy the book! (And that was before it was PUBLISHED!) When we sent the books to reviewers, they typically danced in the streets for joy for several days. However, we reprint here some of the less effusive comments: "Mr. Slade's lists are more interesting than the NYC phone book." - - Dr. Fred Cohen "Obviously some johnny-come-lately upstart." - - Harold Joseph Highland "Is this guy some kind of comedian?" - - William Murray "i think its cute and i like the title but i have a few questions ..." - - sara gordon "Wonderful! It certainly cured *my* insomnia!" - - Dorothy Denning "A mantlepiece!" - - Terry Jones "I only have a hundred new samples that came in this week, and then I'll read it. Promise." - - Fridrik Skulason "Should have had more sample code." - - Ralph Burger "" - - John McAfee (forwarded by Aryeh Goretsky) "Vrooooom, vrooooom!" - - Padgett Peterson "Too long." - - Ross Greenberg "Still doesn't reliably detect MtE." - - Vesselin Bontchev "[A bruised read]" - - PGN "Should be powered off, cast in a block of conrete and sealed in a lead-lined room with armed guards -- and even then I have my doubts." - - Eugene H. Spafford "Where's my baseball bat?" - - Edwin Cleton "Is this legal?" - - Paul Ferguson "I don't think this is funny." - - Brad Templeton "We're the federal government. We don't *do* that." - - James Earl Jones "Let me diagram that on a Turing machine for you ..." - - Yaron Goland "A great virus book. No, I meant a great *anti*virus book. No, I meant a great *virus* book. No ..." - - John Buchanan "Cool." - - Ray Kaplan "My title was better than his." - - Cliff Stoll "I elisted this book, and I have the password. Therefore I am now the author." - - Gene Paris "We probably shouldn't be publicising stuff like this." - - J. B. Condat Cecil B. DeMille, Alfred Hitchcock, John Ford, John Houston and Federico Fellini are working on a co-production of the movie version. Casting is not yet complete, but rumours indicate that Tom Hanks will play frisk, Arnold Scwartzenegger will portray Padgett Peterson and Mark Ludwig will be Stoned. The part of Vesselin Bontchev will be played by a Cray YMP. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (Oct. '94) Springer-Verlag ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 86] *****************************************