VIRUS-L Digest Tuesday, 25 Oct 1994 Volume 7 : Issue 87 Today's Topics: Re: Central Point Update? ---- FTP site? (PC) Need Help with Stoned Virus (PC) Recommendations (?) on OS/2 Scanner/Disinfector (OS/2) Re: `_2kb' virus (PC) Re: VIRUS INFECTION - (PC) stoned - Monkey (PC) Re: HELP! My PC seems to be infected. (PC) Stoned (AntiCMOS)-Virus?? (PC) Are there any Paradox-specific viruses? (PC) invb601.zip - The InVircible Anti-Virus Expert System v6.01 (PC) Looking for Dr. Solomon upgrade (PC) Re: SCAN 2.1.0 -> False alerts ? (PC) Re: Distribution of Viruses Jumper /_2kb virus (PC) Re: KOH (PC) SYSTEM.INI (PC) ubuythis.now (PC) Re: Junkie virus (PC) scitzo attack (PC) Directory Scrambled (PC) Re: What's McAfee's Latest Version (PC) re:JUNKIE VIRUS (PC) Junky virus (PC) Die Hard 2 virus (PC) PC Virus _1099 found (PC) Can a virus change CMOS settings??? (PC) ** PC Virus ruins my life ** Help! (PC) Filename problem caused by a virus? (PC) TrJp- Virus info wated (PC) Re: JERUSALE.FU_MANCH.UNK2 virus??? (PC) Re: VIRUS INFECTION - (PC) Rebuilding Partition Table? (PC) Re: Help needed with PINWORM (PC) UNIX virus detection (UNIX) Re: Monkey virus help (PC) Is it possible to pass a virus using JPG, GIF or other graphic files Re: McAfee Virus Scan (PC) Re: F-Prot under WinZip (PC) Re: Suggestions-anti-virus kit? (PC) Re: F-Prot under WinZip (PC) re: Netcom Distributing Viruses Re: PC-virus transportable to mainframe? (PC-VAX/UNIX) Help! Anticmos B virus removal possible? (PC) Netware And Viruses (PC) Re: Netcom distributing viruses Removing boot sector virus from B: (CANSU/V-sign) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 13 Oct 94 03:23:02 -0400 From: jones@cbdb1.nimh.nih.gov (Doug Jones) Subject: Re: Central Point Update? ---- FTP site? (PC) groener wrote: >Does anyone know if Symantec has an FTP site so that I can get >updates on the Virus signatures? Yes, it's ftp.symantec.com. But I have only seen NAV stuff there, nothing so far for CPAV. Doug ------------------------------ Date: Thu, 13 Oct 94 03:48:45 -0400 From: gordonr@netcom.com (Gordon C Roth) Subject: Need Help with Stoned Virus (PC) You will have to boot from a write protected floppy disk with the appropriate anti virus software (McAfee-clean etc). The stoned virus family is one of the older ones ('82 + ?) and lodges in the boot sector plugging up anything you try to install. It will lovingly infect any and all disks you have put in an infected computer ( I cleaned over 100 floppies for a friend once). Its not too smart put easy to pass around. ttul - -- Gordon Roth gordonr@netcom.com "Whatsoever thou resolvest to do, do it quickly. Defer not till the evening what the morning may accomplish" - Unto Thee I Grant ------------------------------ Date: Thu, 13 Oct 94 08:26:31 -0400 From: dasdwl@uwoadmin.uwo.ca (David W. Loveless) Subject: Recommendations (?) on OS/2 Scanner/Disinfector (OS/2) Our site in the past has been primarily worried about virus infections via DOS but now that we have a growing number of OS/2 servers we need to have some OS/2 protection, too! Based on your personal experience can you recommend any particular OS/2 virus scanner and/or disinfector? Thanks for your help. - -------------------------------------------------------------------------- David W. Loveless, The University of Western Ontario, Information Technology Services, Room 2, Stevenson-Lawson Building, London, Ontario, CANADA N6A 5B8 EMAIL: dasdwl@uwoadmin.uwo.ca FAX:(519)-661-3532 TEL:(519)-661-2111 X5993 ------------------------------ Date: Thu, 13 Oct 94 09:11:02 -0400 From: hermanni@wavu.elma.fi (Mikko Hypponen) Subject: Re: `_2kb' virus (PC) A.APPLEYARD (A.APPLEYARD@fs1.mt.umist.ac.uk) wrote: > Where I work we had an attack of what McAfee Scan v116 reported as the > `_2kb [Genp]' virus. Does VET find this virus? if so, under what name? I don't know about VET. This virus is known to different products by several different names. It's CARO name is Jumper.A, but it is also known as French Boot, Sillybob, Neuville, Touche, EE and 2KB. Jumper was first found from France at the end of 1993 and it was in the wild in Denmark at the beginning of 1994. It infects diskette boot sectors and hard disk MBRs in the usual manner. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi 'Of course this system supports n\061tion\061l ch\061r\061cters' ------------------------------ Date: Thu, 13 Oct 94 10:31:36 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: VIRUS INFECTION - (PC) bpwarner@csupomona.edu (Brian Warner) writes: >{Note: My conection with this net is via a pc to a VAX to this newsgroup. I >thin4 my VAX account is safe.} > >I thin4 my pc might be infected with a virus. My virus checher dosn't detect >anything, but I have some strange symptoms. Three of my 4eys are returning >incorect va5ues, as you can see. 5 and 4 are two examp5es of said errors. This >is my first expierience with a virus, if it is a virus. My question is, does >anyone recognize these symptoms... and can someone refer me to a particu5ar >virus program.... and is this program on the internet.... I have thought about >bootinig my pc from drive a, but that dosn't wor4 - It continues booting on >drive C:, ignoring the boot dis4 in drive A:. > >I understand that my post is rather distorted with errors (4, 5, etc.) but I >hope that someone can he5p me. and forgive the messy nature of this post... > >SYMPTOMS: -Incorrect responces are being given from my 4eyboard. > -I havn't noticed any change in memory. You wouldn't by chance have a Gateway Anykey keyboard or some other type of programable keyboard, would you? They're notorious for doing what you describe. You can unmap all keys on an Anykey keyboard by pressing and holding CTL and ALT and then pressing the Suspend Macro key. The Program LED will flash for a while while the keyboard is reset. Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Thu, 13 Oct 94 10:59:10 -0400 From: kahrs@gribb.hsr.no (Kahrs, Christian 7-95) Subject: stoned - Monkey (PC) To anyone out there I have a problem with my PC. I'm stoned.... by monkey and not something good. What can I do to get rid of this problem????? All help I can get is appreciated. I am located in Stavanger, Norway. Regards Chris ------------------------------ Date: Thu, 13 Oct 94 11:09:22 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: HELP! My PC seems to be infected. (PC) In article <0025.9410121613.AA03055@bull-run.assist.mil>, e94mc@efd.lth.se (Magnus Carsta m) says: > >HELP. My PC seems to be infected but I can't remove the >virus, if there is one. > >I've had vscan 1.17 checking and once out of 10 times it >found MtE in a file. I have not seen the virus since. But the >virus was in the file called 386swp or something in windows >directory. So far this doesn't sound like a virus. The 386swp file is the Windows temporary swap file. It shouldn't be there unless you're either running Vscan from a DOS window or you use CTl-ALT-DEL or the reset button to "exit" Windows. Or you had a Windows "crash". You saw a false alarm. >If it would have been the only infected file it must have >been there from the beginning. >Vscan 2.10 didn't find anything. It shouldn't. You most likely don't have a virus. >Sympthoms: Clock is dragging behind. > > Speed seems to be reduced. You may have the turbo feature disabled on your PC. This is either a button on the front panel or it may be setup in your CMSO or it might be a software driver that controls this. Check your user manuals. > Scandisk (ms) notices a few corrupted > files and have twice found large dataparts > not connected with anything. Again, this is consistent with abrupt system rebooting either by you or due to a system crash. > Files with names like: > aabbbjju or something like it > (I don't remember the extension) is to be > found around the Hd each one taking up the > taking up 0k of space. These are temporary files. They usually are cleaned up when an application terminates normally. Also consistent with abrupt reboots or crashes. > I don't know if this is anything but I've > heard of a virus called cascade and > a checker of IRQ has given the following > results > IRQ2 Cascade -> IRQ9 > IRQ9 Cascade -> IRQ2. > IRQ stands for Interrupt ReQuest. Your PC uses two IRQ chips and connects them together (called cascading) via IRQ2 and IRQ9. (This is not exactly correct but the exact description is a bit technical, so I'm leaving it out for brevity. You should run either CHKDSK or SCANDISK from DOS, not windows, and clean up your hard disk. You can safely ignore lost clusters, but other errors such as FAT errors, file allocation erros, and cross-links are very serious and indicate that your hard disk has been corrupted some time in the past. I use CHKDSK first and redirect the output to the printer. Then I use CHKDSK or SCANDISK to fix the errors. The files that were listed as either mis allocated or cross-linked will be bad and will have to be replaced, either by reinstalling the application related to the files or re-creating the data. If you have backups, you can restore from them, but be aware that the files may have been bad when they were backed up. If you had lost clusters, you will find lots of files named FILExxxx.CHK in your root directory (xxxx = some number starting with 0000). Delete them. They just fill up your disk and are rarely useful. - --- Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Thu, 13 Oct 94 11:45:02 -0400 From: pinkeru@uni-muenster.de (Ulrich Pinkernell) Subject: Stoned (AntiCMOS)-Virus?? (PC) If I check my PC with McAfee Scan (V2.1.1?, newest), F-Prot (newest) or SDSCAN (a new commercial available program), I get the answer: Found a new version of AntiCMOS -Virus in Boot sector or . Stoned (AntiCMOS) -Virus. They all are not able to remove it, but it can be removed with fdisk /mbr and sys c: (a:) without loosing any files. I also used the new driver for the VGA-card miro 10SD from the original disks. I got some infos about viruses on miro driver disks. Does anybody know something about this virus and what damages it can make? Uli ************************************************** * Ulrich Pinkernell * * Analytische Chemie * * Westfaelische Wilhelms-Universitaet Muenster * * Wilhelm Klemm-Str. 8 * * D-48149 Muenster * * Germany * * e-mail: ulrich.pinkernell@uni-muenster.de * ************************************************** ------------------------------ Date: Thu, 13 Oct 94 10:21:45 -0600 From: William Aaron Nicholls Subject: Are there any Paradox-specific viruses? (PC) I desperately need information on whether or not a Paradox-specific virus exists or has been heard of. I work on a medium-sized database (60 megs or so) and we have recently had some problems. A few weeks ago, our network crashed and the network support personnel notified us that we had several viruses that had burrowed their way into the system and (they were running no virus checking on a network of 2000+ people) had caused quite a bit of damage. We had Liberty, the Satan bug, Dorn, and Aragorn (that's what we detected). I later got the MacAfee virus utils among several others and did my own scan of the network. Nothing new turned up. However, recently (about two weeks later) we have noticed that form files and status fields in certain vital tables have changed or totally disappeared. I am personally acquainted with all people that have access to these files and no one should have a vendetta or anything. We recently changed our passwords, so it shouldn't be that sort of a problem. Is it possible that we have a Paradox specific virus? I have heard of viruses in True-Type fonts, ones that work specifically with Word Perfect or a specific such program, but not one for Paradox. Is there any chance that we have one such virus and simply cannot detect it? I realize that this could be a rather desperate theory, but I need a professional opinion and would very much appreciate your prompt response in this matter. Thank you very much. Aaron Nicholls - wan@bert.cs.byu.edu ------------------------------ Date: Thu, 13 Oct 94 12:26:19 -0400 From: frankj@tv.tv.TEK.COM (Frank Jazowick) Subject: invb601.zip - The InVircible Anti-Virus Expert System v6.01 (PC) Hi readers..... I just read about invb601.zip - The InVircible Anti-Virus Expert System v6.01, and how good it is........ Now up to this point, I know that F-Prot was just about equal or one of the best anti-virus shareware programs around..... So does anyone know about this invb601.zip program and how good/reliable it is and so on?? I just downloaded it and am waiting for feedback from you readers to comment on this.. Thanks, Frank ------------------------------ Date: Thu, 13 Oct 94 16:40:29 -0400 From: bfbrown@teal.csn.org (Brian Brown) Subject: Looking for Dr. Solomon upgrade (PC) My company has undergone severe re-organization and even a move of location. As a result, all of our docs/disks from Dr. Solomon's (S&S) DOS-based virus utilties are gone. All we have resident is an 11-month-old set of .DRV and .EXE's, which remind us constantly that they are out of date. I have finally taken it upon myself, having been burned badly once by Michaelangelo, to find the new versions. In its on-line-help, Dr. Solomon's indicates upgrades are available via a bulletin board. Does such a board or FTP site exist? Can someone point me in the right direction? Email responses to brian@t1sys.com are appreciated, since our internet firewall is mail-only for the time being, and I have to call a dialup service provider to read news. Thanks all, BB ------------------------------ Date: Thu, 13 Oct 94 17:13:24 -0400 From: karpens@gandalf.ncssm.edu (Simon Karpen) Subject: Re: SCAN 2.1.0 -> False alerts ? (PC) I have a similar problem if I run F-prot after MSAV (CPAV). It detects Telecom in memory. Make sure neither of these is used beforehand. They're crap, anyway. - -- Simon Karpen karpens@ncssm-server.ncssm.edu flames to /dev/null DOS is dead, long live Linux #include ------------------------------ Date: Thu, 13 Oct 94 19:12:55 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Distribution of Viruses In article <0006.9410121803.AA03780@bull-run.assist.mil>, William Hugh Murray <0003158580@mcimail.com> wrote: [stuff in reply to me deleted] )I would not have very much problem with giving a copy of a very common )virus to anyone. While I cannot predict all of the consequences of the )virus, and while I recognize that it became common from only one copy, one )more copy of the virus is not likely to make the situation much worse. Ok. )However, I will not give away a copy of an arbitrary virus to an individual )not well known to me. For example, I would not give a copy of an arbitrary )virus to Mr. McCarty. While he may take this personally, it really has )nothing to do with him. It has to do with my ignorance of him. It is not )that I expect him to behave irresponsibly, but that I cannot well predict )that he will not. Perfectly reasonable. And no personal offense taken. [more stuff deleted] )Where I cannot know, I behave conservatively. Once the virus leaves my )hand, I lose control. If I cannot exercise control late, then it is )conservative to control early. ) )What I advocate here is individual choice and responsibility. I do not )expect to convince Mr. McCarty where my colleagues have failed. I do not )advocate the use of the coercive power of the state to force any of you to )do what I cannot convince you to do. I do not expect to convince all of )you, but the world will be a more orderly place if I can convince some of )you. No need to convince me. I agree substantially with what you wrote. I have myself refused to send copies of viruses to some whom I did not know and had no knowledge of their motives. But the position you take seems to me to be quite different from that taken by certain AV researchers, Vesselin Bontchev in particular. I seem to be sitting on a fence here, a little bit. For myself, I don't want to send virus source or executable to persons who have .sig's which are representations of skulls with daggers through them. However, to anyone who seems more or less reasonable and has stated intent only to study, I have no problem. I also believe, however, that there is a certain "mystique" in writing viruses. I recently received a copy of some kind of "underground" net magazine. It was from some guy who ran a BBS. The requirements for membership in the BBS was having written a new virus and uploading it, along with explanation of why it is "unique" in some way. I have no problem with that per se. But it does indicate that some people believe that writing a virus is somehow "different" from writing any other program. (In some ways it is, in that the viruses I have looked at were very amatuerish and buggy. The virus writers have no real "customers" and so they can get away with "releasing" really poorly written stuff.) With virus code laid out clearly and concisely, along with plain explanations of what it is doing and how, I think this mistique would evaporate. And so would the viruses, in large measure. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 13 Oct 94 19:27:08 -0400 From: riordan@tmxmelb.mhs.oz.au (Nick Engelman) Subject: Jumper /_2kb virus (PC) On Fri, 30 Sep 94 11:44:39 A.APPLEYARD wrote: > Where I work we had an attack of what McAfee Scan v116 reported as the `_2kb > [Genp]' virus. Does VET find this virus? if so, under what name? and on Fri, 16 Sep 94 06:31:33 > This morning VET said it had found and removed Jumper virus from one of our > public PC's. Please describe Jumper virus. In particular, can it survive warm > boot in memory under DOS 5.00? I can find nothing about Jumper virus in my > Virus-L index. First off, sorry about the delay in replying - we get the digest form of Virusl, so the message has only just come in. What MacAfee calls _2kb we call Jumper - and yes, VET does clean it. The virus is a memory resident MBR infector, setting Top of Memory down by 2K when you boot from an infected hard disk and infecting floppy boot sectors on access. The current version of VET does not disable the virus in memory. VET will detect Jumper in memory and advise you to boot from a known clean system floppy and run VET again - if you follow this advice, VET will be able to clean your hard drive. Once you have a clean PC, you will need to check all the floppies that have been in it; type VET a: or VET b: and VET will clean these too. Hope this helps, best of luck, Nick Nick Engelman riordan.cybec@tmxmelb.mhs.oz.au ------------------------------ Date: Thu, 13 Oct 94 19:45:38 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: KOH (PC) In article <0044.9410121803.AA03780@bull-run.assist.mil>, Iolo Davidson wrote: ) jmccarty@spd.dsccc.com "Mike McCarty" writes: ) )> Iolo Davidson wrote: )> )> ) I hope we are not going to get another thread about so-called )> ) "beneficial" viruses. We have just finished that idea off. )> )> I am not so sure you have "finished that idea off". I think that people )> just got tired of discussing it. There were a few who supported it, a )> few who vociferously repudiated it. You seem to be saying that those who )> repudiated it "won" the debate. I very much doubt that. I don't think )> anything got resolved at all. ) )We won, you lost. I know you don't accept it. Too bad. Your )problem. ) )I stand ready to hash the whole thing through again, though, for )the benefit of those with open minds. In fact, I insist on doing )so whenever the subject comes up. Don't want anyone to be )deluded by the self-serving claims of virus writers who are )desperate to rehabilitate their shabby images. Are you attempting to class me with those who are "virus writer who are desperate to rehabilitate their shabby images"? From your post it is not clear. In any case, Iolo, I resent the part of what you say here which is understandable without further explanation. I do not believe there are any viruses which perform any useful function which could not be better performed by non-virus software. (Possible exception for trainers to help people learn what a virus infection is like and how to remove it.) So "I" did not lose. "I" do not have a problem with there being no beneficial viruses. What I did say was that the issue was not resolved. "You" did not "win". Nor did "I", since I don't think there are good viruses. And proudly proclaiming victory doesn't make it so. Please quit putting words and ideas in my mouth. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 13 Oct 94 21:10:37 -0400 From: judgdredd@aol.com (Judgdredd) Subject: SYSTEM.INI (PC) I received this message following the Windows 3.1 startup screen: "A device file specified in the SYSTEM.INI file is corrupted. It may be needed to run Windows in 386 enhanced mode. You need to run the Setup program again. cdpscsi Press a key to continue" Press a key and the system reboots. I tried rerunning Setup, I tried overwriting my Windows files from my backup, and I have retried installing Windows. I have used MSAV and no detections were found. I still end up with the above message. In a moment of panic I FDISKed & FORMATed my hard drive and started all over from scratch. I am still getting the above message! HELP ME PLEASE!!! I am stuck and out of ideas... ------------------------------ From: tony.brower@factory.com (Tony Brower) Subject: ubuythis.now (PC) Something (presumably a virus?) is causing an empty file called "ubuythis.now" to be created in my root directory on my hard drive. If it is eraeed it just reappears soon. Virusscan doesn't find anything and no damage seems to have been done, but it's disconcerting all the same. Anyone have any clues? Tony Brower tony.brower@factory.com ------------------------------ Date: Fri, 14 Oct 94 03:13:51 +0000 From: bmitchel@cita.cit.gu.edu.au (Bradley Mitchell) Subject: Re: Junkie virus (PC) rdj@scammell.ecos.tne.oz.au (Richard Jones) writes: >I found a PC with the Junkie virus on it and are having a hard time >removing it. Does anybody know how this virus infects PC's or how to get >rid of it? >Thanks in advance. I found it on a lot of friends systems myself. In fact, you will find that TBAV picks it up. The best thing to do is to boot off of a clean floppy and run fdisk /mbr. That will remove junkie from the boot sector and you can thus reboot on your harddrive but before doing this, scan your hdd with tbav and delete every file that is infected, I belive it only infects com files and is a really crap virus anyway as you can rename an EXE file to a COM file and it won't distinguish the difference between the two. Hope this helps. Brad - -- +---------IF YOU READ THIS YOU ARE A TOTAL AND UTTER SMEGHEAD!---------+ | Email : bmitchel@gucis.cit.gu.edu.au or brad@tsunami.itc.gu.edu.au | | 'Go not to the elves for advice for they will say both yes and no!' | +-----------------------------------------------------------=TOLKIEN=--+ ------------------------------ Date: Fri, 14 Oct 94 00:45:02 -0400 From: denat@guid2.dnet.ge.com Subject: scitzo attack (PC) Hello to all, I have just suffered an attack by the 'scitzo' virus. I managed to identify and eliminate it with F-PROT 214. So far, it seems to be gone. I have however, found traces of it in several files which were not executables. I also found some files which I can't explain the origin of. Note that all these files contain the ASCII string "I feel a little scitzo...". This string is sometimes repeated (the result of multiple attacks?). I originally found this string in file nav_._no (this was a suspicious file, so I inspected it with a browser. Seeing it was a binary file, I jumped to the end to see what was there). I was then able to find the string in other files by using Norton's filefind. I searched for all files containing the string 'scitzo'. A sampling of corrupted non-executables: car.jpg (a jpg compressed picture) deskjet.geo (file from the DOS version of AOL) mickey.icn (an icon) config.sys (yeah, the one I boot from!) nav_._no (??? I did run NAV version 2.0. This file is marked as a system/hidden file. NAV was run from the distribution floppy, so I would not expect to find this file on my hard drive. ) Observations: 1. This virus adds 1329 bytes to the executables it infects. MSAV (distibuted with MS-DOS 6.2) picked this up even though it did not identify or recognize the virus. 2. The timestamp of files that it attacks (even if not infected) is altered so that the seconds are '03'. MSAV detected this change too, even when the file size and checksum were not affected. (This is an asumption on my part since every file MSAV reported as altered had a timestamp of 'hh.mm.03'). The date did not seem to be affected. This is an interesting side effect since most directory listers only show the time as 'hh.mm'. (Window's file manager is a notable exception, but if you catch this one, don't expect to be able get to Windows to use it!). 3. It attacks anything resembling an executable. Files with extentions .EXE, .COM, .DRV, .FON, and .SYS were attacked. Not all of these files were binaries. 4. It infected executables that were not run recently, therefore this virus seeks out host files. I'll assume the binaries were infected (I didn't keep one to study, but will if it reappears), and that files which could not be infected were either not altered (save the timestamp), or had the ASCII signature string (described above) appended (less than 1329 bytes). I didn't notice if any DLLs were infected. I blew away Windows after realizing it was hopelessly corrupted and before running F-PROT. 5. Aside from the obvious file corruption (some no longer worked and hung the system), another symptom of the attack were the messages "Error writing to write-protected disk Abort, Retry, Fail?" received when running anything from a write protected floppy. Repeatedly answering 'r' allowed the file to be run. It seems to give up after a few tries. 6. Virus infections occur even in the best of families :). (Not just to the other guy). 7. The clean-boot feature of MS-DOS 6.x was useful, but I would have gotten nowhere without a clean, write-protected boot floppy. (I know I'm preaching to the choir on this one, but it may prove to be useful advice to a newbie.) A few questions: 1. Can anyone shed some light as to what this virus is all about? I managed to learn quite a bit about it through my observations, but some informed facts would be useful. The text files that came with F-PROT had no details on scitzo. 2. Am I safe to assume that this thing did not attack zipped archives? i.e. if the archive is not corrupted, then the files inside are still ok? I had copies of some critical files zipped on the hard drive. 3. Does this virus simply corrupt existing files, or does it create new files in which to hide? (Possible explanation for the files of unknown origin?) 4. Aside from believing the results of F-PROT, is there anything else I need to do to ensure the virus is really gone? In other words, since I deleted all the executables that it infected, can I assume that the file which carried the virus is also gone? I have been reloading the applications that I installed just prior to the attack in order to isolate the source of the virus, but it is possible that I got this from something I downloaded which has already been deleted. 5. The attack occurred on October 10, 1994 (Columbus Day here in the USA). Is the date significant, or just a coincidence? (Is it possible that the beast is now dormant, ready to strike again next year?) In the process of reloading the applications, and checking for a re-infection, I have been resetting the system clock (via the BIOS) to 10-10-94 in case the date matters. 6. I am considering using an anti-virus TSR/driver to guard against future infections. At the moment, I am using the driver supplied with F-PROT to help detect if the virus re-appears while I attempt to determine its source (mainly since F-PROT detected and identified the virus). However, the protection afforded by VSAFE (supplied with DOS) seems pretty thorough based on the description in the DOS manual. Any suggestions on what to use? 7. I remember seeing a motherboard described as 'anti-viral'. What does this mean? Who makes them? (Coincidentally, I'm considering a motherboard upgrade for my aging 386DX-20. Maybe this would be a good choice). Responses of a general nature should be sent to the list to ensure that this information gets to everyone. If I manage to learm more about this virus, I'll post that, along with a summary of other responses I receive. Regards, Roger Denat denat@guid2.dnet.ge.com ------------------------------ Date: Fri, 14 Oct 94 03:21:10 -0400 From: dcampbel@infinet.com (Daniel Campbell) Subject: Directory Scrambled (PC) We have 50 PCs connected to a Novell Network. Each is used primarly for AutoCad. The Server drive G: root directory has become scrambled or out of sequence. ANy thoughts on this? A virus problem? - -- Daniel D. Campbell | dcampbel@infinet.com | Columbus, OH | 614-861-1814 ------------------------------ Date: Fri, 14 Oct 94 03:56:20 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: What's McAfee's Latest Version (PC) Hello Mr. Hugget, In article <0022.9410121613.AA03055@bull-run.assist.mil> jamaican@garnet.msen.com (Dwight Hugget) you write: >What's the latest version of McAfee's scan program ? As of October 13th, the latest version of VirusScan is Version 2.1.1 with the 2.1.211 data file (included with the program). >I just read about a beta (2.0). Can I trust this beta ??? You can trust it to behave as a beta-level piece of code. I would not recommend running it when a newer, better-behaved production version is available. > >thanks > Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Fri, 14 Oct 94 07:17:44 -0400 From: slota@rtsg.mot.com (Dave Slota) Subject: re:JUNKIE VIRUS (PC) I have removed the Junkie virus with NAV 3.0 and the lastest patch. Both Mcafee 117 & scan 2.1.0 found it but could not clean it. It did do a lot of damage to my windows files. Regards Dave ------------------------------ Date: Fri, 14 Oct 94 07:29:15 -0400 From: scott1@uxa.cso.uiuc.edu (Trash! ) Subject: Junky virus (PC) My PC is recently infected by Junky virus... Is there any way to remove this virus? I formated my hard disk because of this virus... But, this virus still exist....Hmmm.... I don't what should I do.... Help~~~~~~~~~~~~~~ ------------------------------ Date: Fri, 14 Oct 94 08:01:11 -0400 From: gervais@singnet.com.sg (Wansaicheong Khin Lin Gervais) Subject: Die Hard 2 virus (PC) Aaargh! Does anyone have knowledge of the Die Hard 2 virus? Several units have been affected by this virus here probably transmitted via the internet provider. (Heads will probably roll.) Anyway, is Scan117 the only program that will pick it up and what about cleaning up after the thing? gervais gervais@singnet.com.sg ------------------------------ Date: Fri, 14 Oct 94 08:01:20 -0400 From: isc20324@cobra.nus.sg (NG YENG YONG) Subject: PC Virus _1099 found (PC) Hi netters, Just encountered a new virus named _1099. Scan 2.1.1 can detect it but has no remover for it. Tried ThunderByte Anti-Virus 6.24. Worst, it cannot detect the virus. Check with VSUMX408 but it had no description of this virus. Anybody had encountered this virus and cured it successfully, or any description on the types of destruction this virus can do ?? Thanks very much for any responses. Best regards, Steve =========================================================================== = Ng Yeng Yong, Steve = Internet : isc20324@nus.sg = = 3rd Year, Computer Science = ngyengyo@iscs.nus.sg = = Department of Information Systems = = = and Computer Science (DISCS) = = = National University of Singapore = = =========================================================================== ------------------------------ Date: Tue, 11 Oct 94 20:47:01 +0200 From: Jan_David_Mol@f312.n310.z9.virnet.bad.se (Jan David Mol) Subject: Can a virus change CMOS settings??? (PC) > I am having a problem with several PCs where the CMOS settings > are > seemingly randomly changing. Could a virus be causing this?? A virus is just a little bit of code, so it has the same limitations as a normal computer program. So a virus can do anything a normal program can do, even changing CMOS settings. Another explanation for your problems with your CMOS is that the battery, which makes shure that the clock in your PC keeps running even if you turn your computer off, and which prevents your CMOS from being cleared, can be ( almost) empty. If so, you'll have to replace it since they cannot be reloaded. Greetings, Jan David Mol - --- FMail/386 0.98a * Origin: Highway BBS * The fastest way of communication * 01731-5230 (9:310/312) ------------------------------ Date: Tue, 11 Oct 94 20:40:00 +0200 From: Jan_David_Mol@f312.n310.z9.virnet.bad.se (Jan David Mol) Subject: ** PC Virus ruins my life ** Help! (PC) > I am no computer expert. Any suggestions on what I can do to get > rid > of it. Thanks. The best think I can think of is getting yourself a virus cleaner from a BBS. This cleaner can remove the virus from your PC, so you don't have to format your harddisk. I recommend the cleaner from McAfee. It's not too difficult to use and fast. Just call any BBS and ask for this, one any other, virus remover. Greetings from Jan David Mol - --- FMail/386 0.98a * Origin: Highway BBS * The fastest way of communication * 01731-5230 (9:310/312) ------------------------------ Date: Fri, 14 Oct 94 14:30:19 +0000 From: stech@eskimo.com (Harvey Steck) Subject: Filename problem caused by a virus? (PC) Problem: (I have a small Lantastic network, recently upgraded from Lantastic 5.0 to 6.0, and my problem appears to be restricted to our fileserver.) Apparently random files, including some directories, RENAMED so that the THIRD character in the filename is changed to its ASCII value minus 64. (In other words, it seems that the 7th bit from the right is changed from 1 to 0.) This causes havok, of course, especially when the name that is changed is a parent directory name. I believe the virus(?) is on the server, but I have not been able to detect one with Virucide or SCAN 117. Anyone else have this problem? BTW, I am using a Promise ISA IDE caching controller. (That wouldn't cause this problem, would it?) Any clues would be much appreciated! stech@eskimo.com (Harvey Steck) ------------------------------ Date: Fri, 14 Oct 94 11:27:31 -0400 From: "D.Roozemond" Subject: TrJp- Virus info wated (PC) Hallo to all, we just found a virus called "TrJp". Mcafee can't find it Thunderbite does. Can somebody tell us about the kind of virus, how dangerous etc. It affects .com and .exe files. Is not readed in P.Hoffmans Virus list. ------------------------------ Date: Fri, 14 Oct 94 13:43:11 -0400 From: danh@gold.gvg.TEK.COM (Daniel Hanna) Subject: Re: JERUSALE.FU_MANCH.UNK2 virus??? (PC) In article AA03695@bull-run.assist.mil, eahu326@rigel.oac.uci.edu (Frances Leung) writes: > Hi there! I ran a virus check program and found the > above Jerusale.fu_manch.unk2 virus? Could someone please > give me some insights as to what this virus does and is there > a program out there that can remove it? I am also interested in what it does and how to remove it. I discovered it using McAfee VirusScan v.2.10. It discovered it in a screen-saver file called EXPLOSIV.COM. Any info would be helpful. Thanks in advance, - --- _______________________________________________________________________ | | | | Daniel Hanna | | | danh@mecad.gvg.tek.com |________________________ _____________| | Mechanical Designer / |_______________________ \ / ____________| | Computer Liaison |______________________ \ \/ / ___________| | Grass Valley Group, Inc. | Grass Valley Group\ \ / / | | P.O. Box 1114 | A Tektronix company\ \/ / | | Grass Valley, California | \ / | | 95945 M/S = 4A | \/ | | (VOICEMAIL) (916)478-3448 | | | (FAX) (916)478-3820 | | |_____________________________|_________________________________________| ------------------------------ Date: Fri, 14 Oct 94 14:05:11 -0400 From: kenney@netcom.com (Kevin Kenney) Subject: Re: VIRUS INFECTION - (PC) Gateway computers, or any other with mapping keyboards are prone to this. (New Gateway keyboards even have a sticker on them telling you how to get out of the mess: CTRL+ALT+Suspend Macro.) Check your manuals for keyboard mapping. Otherwise, a bad bit of hardware may be at fault (your keyboard connectors or ram). The boot from C or A problem is in your computer's CMOS setup, under advanced options. Follow the 'Press XXX to enter Setup.' instruction you see when booting to find it. Note that many scanners can find many 'Stealth' viruses anyway, so go ahead and run one from C. Good Luck, KpK ------------------------------ Date: Fri, 14 Oct 94 14:11:53 -0400 From: kenney@netcom.com (Kevin Kenney) Subject: Rebuilding Partition Table? (PC) Since partition-table affecting viruses are becomming more common, and since anyone hit by a new one won't want to wait for scanners to be updated, I'm looking on how to rebuild a partition table, hopefully without trashing the disk's formatting. What tools would be needed, and do they exist, including in a commercial package? (What can access a C: drive the BIOS can't find?) I'd be willing to write such a generic tool, if pointed in the right direction. KpK ------------------------------ Date: Fri, 14 Oct 94 15:31:01 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Help needed with PINWORM (PC) In article <0012.9410141551.AA07216@bull-run.assist.mil>, Zvi Netiv wrote: > A few instruction to get it right at the first shot: As Pinworm is > heavily encrypted and polymorphic, decrease the detection threshold to > 1% (one percent) instead of the 20% default. At the most, a couple of What does that mean? What is a detection threshold? Another point of interest is that pinworm is also somewhat heavily armored and does a lot of thigns to make it pretty annoying to decrypt by hand. This virus uses a key based on the code which was generated for the decryptor; the key is based on the polymorphic code. Unfortunately, what happens a lot of times, is it will do something annoying like slap an int 3 in the decryptor. The problem is that if you try to trace over the decryptor loop, you stop on the int 3. If you try to slap somethign like a NOP over the int 3, then the key values are calculated incorrectly. Instead, all that needs to be done is copy the decryptor to another location and adjust the pointer to the key generator while NOP'ing the int 3's in the first decryptor. Of course, there are several other similar tricks that this virus uses to make itself hard to break apart. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. * * * T H I E V E S S U C K * * * * * * T H I E V E S S U C K * * * ------------------------------ Date: Fri, 14 Oct 94 16:18:12 -0400 From: rickr@scripps.edu (Rick Ross) Subject: UNIX virus detection (UNIX) FOlks, Greetings. I am new to the list and am risking asking something that may have been asked recently. THe question is: Is anyone aware of any antivirus software that has been developed for Unix workstations? My company is connecting to the Internet and there is concern about importing viruses to Unix workstations. How do other folks take precautions? Thanks for any responses. Sorry if this is a redundant question. I did check the most recent FAQ. I will also be glad to summarize any responses. with best regards, Rick Ross PPG Industries , P.O. Box 9, Allison Park, PA 15101 voice: 412-492-5359; fax: 412-492-5577; rickr@ppg.scripps.edu ------------------------------ Date: Fri, 14 Oct 94 18:49:54 -0400 From: Tim.Martin@UAlberta.CA (Tim Martin) Subject: Re: Monkey virus help (PC) writes: > I have lots of diskettes infected wid the monkey virus, according to my > school's antivirus scanner; i tried to use their antivirus software, Mcafee > . But i didn't seem to work. I also have a few disks infected wid the genb > virus... ; can anyone tell me about a good software program that finds and > kills these viruses. I also think that my PC's hard drive of about 240mb, > may also be infected. I hope that there's some good antivirus software out > there that can eliminate viruses in hard drives, without the need of > reformating again... thank >Rafale Chan Killmonk, version 3. Find it in the pkzip archive killmnk3.zip, at your favourite ftp site. (try bode.ee.ualberta.ca, in /pub/dos/virus) Tim. ------------------------------ Date: Fri, 14 Oct 94 19:49:44 -0400 From: mscheid@usa.net (Mark S. Scheid) Subject: Is it possible to pass a virus using JPG, GIF or other graphic files I was told that all binary picture files must be scanned for virus infection. I don't understand how a program that reads and displays binary data can pass an infection contained in the graphic data file. What is the deal? Is it possible? ------------------------------ Date: Sat, 15 Oct 94 00:49:09 -0400 From: safety@gti.gti.net (Safety Net) Subject: Re: McAfee Virus Scan (PC) In article <0026.9410141551.AA07216@bull-run.assist.mil> you wrote: : I have always used F-Prot and McAfee virus scanners and protectors. I have : yet to run into a situation where one found a virus and the other didn't. : Most people on the net seem to perfer F-Prot over Mcafee, however, my : concern is over Windows. McAfee has a Windows module, F-prot doesn't, nor : does it mention that it is active in Windows. Have you used the /BEEP option on VIRSTOP? It will beep and display a virus message three times. The message will be visible even if you are in Windows. If you are looking for a Windows version of F-Prot, try VirusNet. It is based on the F-Prot and VIRSTOP scanners and adds new Windows and DOS versions and a host of additional features. An eval is available on our BBS (201-467-1024 14.4,n,8,1) and CompuServe (GO SAFE). Regards, Bob Janacek - Technical Director Safetynet, Inc. ------------------------------ Date: Sat, 15 Oct 94 00:48:17 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: F-Prot under WinZip (PC) mike.murphy@atlwin.com (Mike Murphy) says: >I need some help with F-Prot v2.14 (or any version for that matter). I >use Windows religiously and would rather not go to DOS (although I know >DOS and have used it since 1986). I use a ShareWare called WinZip v5.5 >(which I highly recommend!!) to test downloaded files. >I would rather use F-Prot to do the virus scanning in Iconized >background (not visible as a DOS session). >The problem comes with the report. When F-Prot is finished scanning, >WinZip brings up the report. There is no information. >I have read over the command switches and nothing seems to fit into that >category. >This is different with McAfee, which offers a complete and detailed >report using these switches: /nomem *.*/all/sub >To all the F-Prot gurus (Fridirk Skulason?)...PLEASE help...I would >rather use F-Prot than McAfee any day. It sounds like you're using the Virus scan option. I've found that the checkout option call F-Prot in an iconized DOS window without displaying the report. It uses the errorlevel. The disadvantage to the checkout option is that it generates a program group which burns up some time. F-Prot could probably put up a no virus found message but the real culprit is WinZip. It should check the errorlevel in the scan option just like it does for the checkout option. Personally I just close the report. I've never had any success contacting the WinZip author, even when we bought our site license. Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Fri, 14 Oct 94 20:35:21 -0400 From: safety@gti.gti.net (Safety Net) Subject: Re: Suggestions-anti-virus kit? (PC) Kevin Marcus (datadec@corsa.ucr.edu) wrote: : For shareware, I would suggest looking at F-Prot, which has a high : detection rate as well as removal rate. FYI, Safetynet's VirusNet incorporates the F-Prot scanner and TSR. We add new Windows and DOS interfaces, context-sensitive help, checksum scanning and rescue disk. The LAN version has full software distribution and event scheduling, automatically installing, updating and configuring virus protection and scheduling on all network workstations. : For commercialware, I'd suggest NAV 3.0. Aside from detecting all : viruses in the wild, you have a company in your country which you can : reach easily and exchange things with if you need to in a reasonable : amount of time. Regards, Bob Janacek Safetynet, Inc. 55 Bleeker St. Millburn, NJ 07041-1414 1-800-851-0188 1-201-467-1024 1-201-467-1581 (BBS) !GO SAFE (Safetynet section of Novell Forum on CompuServe) ------------------------------ Date: Fri, 14 Oct 94 20:19:10 -0400 From: safety@gti.gti.net (Safety Net) Subject: Re: F-Prot under WinZip (PC) VirusNet uses the F-Prot scanner and TSR from Frisk Software Int'l and adds new *Windows* and DOS interfaces. An eval is available on CompuServe (GO SAFE) and on our BBS (201-467-1581 14.4,n,8,1). We will have an FTP site very soon for evals of VirusNet and our other security and network management software. Regards, Bob Janacek - Technical Director Safetynet, Inc. P.S. - Presently, our StopLight security software is available at ftp.hawaii.edu in the /outgoing/Safetynet directory. Mike Murphy (mike.murphy@atlwin.com) wrote: : I need some help with F-Prot v2.14 (or any version for that matter). I : use Windows religiously and would rather not go to DOS (although I know : DOS and have used it since 1986). I use a ShareWare called WinZip v5.5 : (which I highly recommend!!) to test downloaded files. : I would rather use F-Prot to do the virus scanning in Iconized : background (not visible as a DOS session). : The problem comes with the report. When F-Prot is finished scanning, : WinZip brings up the report. There is no information. : I have read over the command switches and nothing seems to fit into that : category. : This is different with McAfee, which offers a complete and detailed : report using these switches: /nomem *.*/all/sub : To all the F-Prot gurus (Fridirk Skulason?)...PLEASE help...I would : rather use F-Prot than McAfee any day. : Thanks...Murfster : mike.murphy@atlwin.com : - --- : CMPQwk #1.4. UNREGISTERED EVALUATION COPY : - ---- : +---------------------------------------------------------------------+ : | The Atlanta Windows BBS (404)516-0048 9 high-speed USR nodes | : | Largest Win-specific BBS in the SouthEast- CDROMs, RIME, INTERNET | : +---------------------------------------------------------------------+ ------------------------------ Date: Fri, 14 Oct 94 23:52:03 -0400 From: olpopeye@ix.netcom.com (Walter Murdock) Subject: re: Netcom Distributing Viruses I find it interesting if not outright laughable that so many on this forum are so upset about their supposed First Amendment rights being infringed (re: writing and publishing viruses, while flatly ignoring and threatening others' Second Amendment rights re: Right to Keep and Bear Arms. I guess next I'll read "You can have my computer when you pry it from my cold, repetitive-strain-riddled hands." Come on, people! Netcom isn't infecting your computers. And guns aren't dangerous. Unless you do something stupid with them. Today, I drug out 5 handguns and assorted other weaponry and sat watching each one for some sign of sentient life. _NONE_ of them killed me!! Surprise !! Surprise!! (Can you spell S-A-R-C-A-S-M-...???Same as cars - Cars aren't dangerous; drunken drivers are! And doesn't that apply to viruses as well? Get real! Let's try and keep this discussion on a more intelligent level. And try to pick an analogy that deals with reality, not some knee-jerk anti-gun propaganda. Regards, Walt Walter E. Murdock olpopeye@ix.netcom.com olpopeye@svpal.org U.S. Navy ''Mustang'' Korea '53, Lebanon '58 Retired & Proud Of It. Dominican Republic '65 Vietnam '65-'68 ------------------------------ Date: Sat, 15 Oct 94 02:03:34 -0400 From: zaphod@dorsai.dorsai.org (Eugene Accado) Subject: Re: PC-virus transportable to mainframe? (PC-VAX/UNIX) A.W.van Steijn (felfs!awsl3@uunet.uu.net) wrote: : Hi there, : Anyone heard about the possibilty of a virus which can run on : a PC-based (pref. MS-DOS) system and also aible to infect a : mainframe??? Most mainframe operating systems can store DOS files in some form or another but cannot run them. There is a possibility that a mainframe can be storing a DOS program infected with a virus and then someone transfers it to another DOS machine. In that case the mainframe would be inadvertently spreading a virus. I have heard of a program that called VFIND which scans DOS or MAC files while they are on a Unix system. As far as a DOS virus infecting a mainframe's operating system; that is nearly impossible. I don't know of any program that can run unchanged on 2 completly different operating systems. For a virus to infect a mainframes operating system, it would first have to find out through a network connection or a direct connection to a mainframe port what operating system the mainframe was running. It would then have to recompile a copy of itself into a version that will run on the mainframes operating. Then it would have to transfer the new version to the mainframe. The new version will either have to be stored in memory on the mainframe and infect executable files as they are run or directly infect an executable file and infect other ones as it is run. Anyone familiar with a particular PC to mainframe network or a mainframe operating system (VMS, UNIX, etc) could probably point out places where this virus would fail. Also, the new version of the virus is really a totally different virus because it is operating in a different environment and made up of totally different code. Eugene Accardo ------------------------------ Date: Sat, 15 Oct 94 04:10:07 -0400 From: govax@Glue.umd.edu (Charles Andrew Matchett) Subject: Help! Anticmos B virus removal possible? (PC) Hello good folk of netland, I recently discovered an [anticmos B] virus on the partition talble of a friends hardisk. Several programmes available can identify this virus, but they listed no way of removing it from the drive itself and infected floppies (it seems scn-211e.zip is not capable of this) Does anybody know of an effective way of removing this bug while minimizing damage? help is greatly appreciated thanks. Andy govax@eng.umd.edu ------------------------------ Date: Sat, 15 Oct 94 08:48:12 -0400 From: Larry Brown <72712.706@compuserve.com> Subject: Netware And Viruses (PC) I apologize if these questions are in the FAQ, but as a CompuServe user, I haven't been able to download it. I need to know about viruses in the Netware world. What NLM's are available, and how to they compare to the anti-virus products in the DOS world, as far as percentage of viruses found and speed, known problems, etc. Are there any viruses that infect or target NLM's, VLM's, etc? Anything else you can tell me? Thanks in advance ....... Larry Brown 72712,706@Compuserve.Com (813) 677-5279 Voice (813) 671-4186 Fax/Data ------------------------------ Date: Sat, 15 Oct 94 13:17:48 -0400 From: olpopeye@ix.netcom.com (Walter Murdock) Subject: Re: Netcom distributing viruses In <0002.9410121613.AA03055@bull-run.assist.mil> iandoug@cybernet.za (Ian Douglas) writes : >Plans for nuclear bombs are also 'basically text'. Should these also be >freely available? How about some secret Mossad files? > Oh, come on!! Plans for atomic bombs have been freely available in dozens of physics texts and underground literature for more than a quarter-century! Wake up and smell the flowers! (Of course, getting the _materials_ to build one have proven (thenkfully!) difficult. Even C-4 is hard to get - that is, the real stuff, not some home-made brew. But the plans to nukes? No huhu. And as far as "secret" Mossad files - Well, the release of the Stasi's files accomplished only good, 'far as I can see. I think there are few on this forum who would disagree with the idea that the intentional or negligent release of computer viruses with the _specific intent_ to cause harm or inconvenience to someone else is a crime worthy of various cruel and unusual punishments (I favor impalement, or at least flaying..). But these far-flung analogies contribute little to solving the problem: How to catch the perpetrators, and how to ensure swift and effective punishment in liberal do-gooder courtrooms by idiot legal beagles (SOBs, in other words) who can't understand how so-called white-collar crime can cost the public as much as - if not more then- bank robberies. But that's another soapbox. Regards, Walt Walter E. Murdock olpopeye@ix.netcom.com olpopeye@svpal.org U.S. Navy ''Mustang'' Korea '53, Lebanon '58 Retired & Proud Of It. Dominican Republic '65 Vietnam '65-'68 ------------------------------ Date: Sat, 15 Oct 94 14:26:32 -0400 From: wile_e@mindlink.bc.ca (Russell Owsianski) Subject: Removing boot sector virus from B: (CANSU/V-sign) (PC) Hi all, recently, I found a boot sector virus on a 3.5" floppy. Scan211e calls it CANSU, fp214 calls it V-sign. Neither scan211e /clean nor clean117 can remove it. :( I never executed anything from that disk, and the scanners say that the hard drive is still clean. First question: What can I use to get rid of the virus on the floppy? (hopefully without losing the data on the floppy)? Second question: What would it take to activate this virus, or cause it to infect the hard drive? Getting a 'dir' of the floppy? Copying files? Thanks very much for any help. ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 87] *****************************************