VIRUS-L Digest Tuesday, 6 Dec 1994 Volume 7 : Issue 97 Today's Topics: CVIA -- does it still exist and how can I reach it? Virus info list?? Comments about MD5 Research assistance request SCO UNIX virus (UNIX) Re: Mainframe Viruses? (IBM VM/CMS/etc) Exebug apparently surviving boot (PC) Can a master boot record be repaired? (PC) Can a virus spread like this? (PC) Virus infection - new virus? (PC) Re: PC drops out of Windows. Virus? (PC) Re: HELP! Stoned or Monkey? (PC) Happy birthday PC virus. Please help! (PC) Re: ZIFF Verlag (PC) McAfee fails ! (PC) Re: Removing boot sector virus from B: (CANSU/V-sign) (PC) TBAV 6.26 and virus "Ilja" (possible false alarm) (PC) Re: NAV 3.0 updates ? (PC) Update strings ? (PC) NCSA _does_ have Viking virus info (re earlier post) (PC) re: Surviving cold boot? (PC) Re: INFO WANTED: Junkie.Boot virus... (PC) RE: Differences between McAfee Products? (PC) Re: Anti CMOS virus - help! (PC) Re: Boot sector virus won't die (PC) Doom1.6bt and viruses? (PC) Help, how to remove One_Half virus from MBS of hard disk? (PC) Re: DOOM II (PC) RE:FLU-SHOT (PC) solomons causes GPF's & slows program loads (PC) Lenart Virus (PC) Most frequent viruses? (PC) Re: Virus named Jack Ripper (PC) Disabling TSRs (PC) Re: Disabling TSRs (PC) Re: Rebuilding Partition Table? (PC) Re: VLamiX.1? (PC) Re: joke named Perv -Virus?? (PC) Problems with NYB GENB virus (PC) GenB SOLVED! (PC) Re: tbav625/tbavx625 - Thunderbyte anti-virus v6.25 (Complete/Optimized) (PC) Re: Virus identification? (PC) avp21b-b.zip - Antiviral Toolkit Pro (AVP) 2.1beta rev.B (PC) ansichk9.zip - ANSI bomb and bad batch file detector (PC) F-PROT 2.15 is out (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 18 Nov 94 02:48:42 -0500 From: julian@panix.com (Julian Dibbell) Subject: CVIA -- does it still exist and how can I reach it? I need some data on the antivirus industry for an article I'm writing for _Wired_. Does anybody know if the Computer Virus Industry Association is still in existence? And if so, could someone tell me how to get in touch with them? Or where they are located? Alternatively, if anyone has authoritative figures for the current size of the antivirus industry (in $$$ sales), that might save me the phone call. - -- ********************************************************************* Julian Dibbell julian@panix.com ********************************************************************* ------------------------------ Date: Fri, 18 Nov 94 12:45:00 -0500 From: S1056982@cedarville.edu (Nato) Subject: Virus info list?? Hey all. I am wondering if there are any current, or at least recent lists of viruses that are out there. I have some older copies of the fprot listings, and possibly a couple of older lists, but I am looking for a newer, updated list for me to reference when I have need. Thanks! - -Nato! *************************************************************************** Even if you are on the right track, | I am SHADOWSTAR!! *BaShBrOtHeR* you will get run over if you just sit | High Lord of -*/TrIaD\*- there. | **** PGP key available **** -Will Rogers | =s1056982@cedarville.edu= *************************************************************************** --STILL WORKING ON A REAL SIG-FILE-- ------------------------------ Date: Sat, 19 Nov 94 08:04:12 -0500 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: Comments about MD5 Hello all: Recently some people have commented about my posts of MD5 Hash values for Share Ware A-V programs. One minor comment. I have never posted MD5 Hash values for any version of InVircible (Zvi Netiv's program). The reason is because I have not been able to log onto a support BBS for InVircible yet. There are several people commenting that I should not be distributing this data unless I am listed as an agent of the A-V software. I do not wish to be an agent for any A-V developer because other reports would be in question "What's his angle? Are these values legitimate or not?" Here are a few points in favor of my CHK-SAFE reports. 1. I PGP clearsign all CHK-SAFE reports with my key. Several people in the A-V community have signed my key to act as an introducer, and verify the key belongs to the real Bill Lambdin. These signatures can not be forged. 2. All A-V software I post MD5 Hash values for is obtained via secure channels. Meaning the archives are uploaded to the Metaverse BBS by the author or agent for the A-V software, or I download the archives from support BBSs. 3. MD5 is a cryptographicaly strong 128 bit one way Hash developed by RSA Data Security, Inc. Users may use CHK-SAFE or any MD5 compatible program they wish to verify authenticity. 4. Some have suggested that I generate one Hash for the archive. This would be less than useless because many BBS SysOps add files, comments, change the level of compression, change archivers, or change the order of the files in an archive. All will modify the Hash value. This is why I generate Hash vlaues for the uncompressed files. 5. I generate Hash values for all files in the archive. This will allow the users to spot files that have been added to the archive, and prevent the users from running a trojan or a virus added by a Hacker. 6. I post these Hash Values into 15+ virus conferences so the users can check integrity of A-V software on local BBSs. Not everyone can afford to call support BBSs to obtain A-V software. Stepping down from soapbox now. Bill For PGP key. Send E-Mail to bill.lambdin@pcohio.com - --- * CMPQwk 1.4 #1255 * JERUSALEM (Skism-1) Fridays (after the 15th) - --------------------------------------------------------------- PC-Ohio PCBoard PO Box 21411 The Best BBS in America South Euclid OH 44121 DATA: 216-381-3320 pcohio.com FAX: 216-291-2685 - --------------------------------------------------------------- ------------------------------ Date: Sun, 20 Nov 94 23:56:36 +0000 From: cs942128@ariel.cs.yorku.ca (JENNELYN J FAJARDO) Subject: Research assistance request Hi everybody! I'm doing a research about computer viruses... How serious is it and what damages can result from it? Thanks! ------------------------------ Date: Fri, 18 Nov 94 02:45:09 -0500 From: Mohammed Ali Subject: SCO UNIX virus (UNIX) Greetings Can anybody out there give me any informations about a SCO UNIX virus called V Magic and how dangerous is it to SCO UNIX systems. I would be very grateful for the informations. best regards Mohammed - -- PEM Programmentwicklungsgesellschaft |------------|---------------------| fuer Microcomputer mbH | Stuttgart | ali@pem.com | Mohammed Ali | |PHONE: +49-711-713045| Vaihinger Str.49 | Germany |FAX : +49-711-713047| 70567 Stuttgart, Germany |------------|---------------------| ------------------------------ Date: Sat, 19 Nov 94 09:46:23 -0500 From: gjw@tdc.dircon.co.uk (gjw) Subject: Re: Mainframe Viruses? (IBM VM/CMS/etc) MVillegas writes: > Has anyone heard of an IBM mainframe virus? Do or have they > existed? To expand on the above question, how common and dangerous are virus's for platforms other than PC's. Just about every virus discussed in this group seams to be PC (or more specifically DOS) based. I know there are some Mac viruses but the common tools such as GateKeeper seem to be effective in preventing them spreading. Is this because DOS has an inherant weekness or just that there are more DOS systems to infect. Garry ------------------------------ Date: Thu, 17 Nov 94 17:32:06 -0500 From: Iolo Davidson Subject: Exebug apparently surviving boot (PC) a_rubin@dsg4.dse.beckman.com "Arthur Rubin" writes: > How can Exebug spoof a cold boot? (I am not asking this to try > determine how to write such a virus, it's just that I don't > understand you it is possible.) Without going into too much detail (and I will therefore thank those who think I have left something out NOT to post a correction, since I have done so deliberately) Exebug tells the CMOS that there is no floppy drive in between disk accesses. Therefore whenever the computer starts up, it believes it has no floppy installed, so boots from the hard drive. At this point, Exebug is loaded and takes control. It then continues the boot from the floppy so you don't notice what has happened. This doesn't work on every computer, but when it works it is very effective. For more information: Virus News International printed my article on Exebug in the April 1993 edition. In the July 1993 edition, there was a case study by Peter Morley in which he removed Exebug from a PS/2 model 55SX. In this computer, Exebug's CMOS "spoofing" is effective, and the computer's own design makes it very difficult to remove, for two reasons: the CMOS setup routine has to be loaded from disk, and the CMOS battery is built into the chip. Virus Bulletin also published an article, but I don't have the issue. I understand that there is a new virus called Orsam which performs a similar sort of trick, but uses a different method. I haven't studied this one, and don't know how it works. - -- HENRY THE EIGHTH BUT KEPT PRINCE OF FRISKERS HIS WHISKERS LOST FIVE WIVES Burma Shave ------------------------------ Date: Thu, 17 Nov 94 17:32:03 -0500 From: Iolo Davidson Subject: Can a master boot record be repaired? (PC) jmccarty@spd.dsccc.com "Mike McCarty" writes: > I know that ANSI bombs exist, and have also heard of (but not > experienced) them being put in the PKZIP banner. But I have never > heard of an ANSI bomb which caused a virus to be created. I have heard of an ANSI bomb which launched a virus, ie. loaded it into memory and executed it. The body of the virus was in the file containing the ANSI bomb, and the whole thing happened when you typed the file. The virus then infected files as an ordinary memory resident file virus. I haven't had this thing in my own hands, but the person who told me about it is extremely reliable. - -- HENRY THE EIGHTH BUT KEPT PRINCE OF FRISKERS HIS WHISKERS LOST FIVE WIVES Burma Shave ------------------------------ Date: Thu, 17 Nov 94 17:32:10 -0500 From: Iolo Davidson Subject: Can a virus spread like this? (PC) bartlett@io.org "Brendan Bartlett" writes: > - Anyway, simply putting your floppy disk in a known infected > machine (lets say with the Boot 437 virus) typing DIR (ok, > now the disk can be infected my a memory resident virus) and then > going over to a clean machine and typing DIR on that machine doesn't > infect that machine, right? The hard disk of the clean machine will not be infected just by DIRing an infected floppy. However, some anti-virus software will claim to find the virus in memory, because the boot sector will have been read into a DOS buffer. No, it isn't active, hasn't been executed, and there is no mechanism to execute it or give it control, but it is in memory, technically. Most anti-virus software does not report viruses as "in memory" if they are in a DOS buffer, but those that do can be a source of confusion as to whether a DIR can get you infected. - -- HENRY THE EIGHTH BUT KEPT PRINCE OF FRISKERS HIS WHISKERS LOST FIVE WIVES Burma Shave ------------------------------ Date: Thu, 17 Nov 94 17:32:14 -0500 From: Iolo Davidson Subject: Virus infection - new virus? (PC) aeaim-xa02@heidelberg-emh2.army.mil "Robert L. Lee" writes: > We have been infected today by a virus called the NEW VIRUS. Please consult the FAQ to find out how to make a report that conveys enough information for people to make helpful replies. A virus name is hardly ever useful unless you say which anti-virus software gave you the name, because most products use different naming schemes. What you report sounds to me like what an anti-virus would say when it suspects the presence of an unknown (to it at least) virus, rather than the name of a known virus. - -- HENRY THE EIGHTH BUT KEPT PRINCE OF FRISKERS HIS WHISKERS LOST FIVE WIVES Burma Shave ------------------------------ Date: Thu, 17 Nov 94 22:35:34 -0500 From: BROWE@PANIX.COM Subject: Re: PC drops out of Windows. Virus? (PC) > I've been having trouble with the PC's (80+) at my company. Users have > been complaining that they'll be in Windows, and while idle, it will drop > out to the DOS prompt. They have not noticed any lost or corrupted files. > I occasionally bring files home, and now I seem to have the same problem > on my PC at home. > MS Anti-virus doesn't find anything. Is this a new virus? If so, how can > I get rid of it? I'd appreciate any response! > I haven't had this problem myself, but I suggest using an up-to-date virus scanner - even if your using the MS-DOS 6.22 anti-virus program, it's AT LEAST 6 months out-of-date (probably more, if Microsoft didn't update their virus list). You should try NAV 3.0 with an updated virus list (off FTP.SYMANTEC.COM) or a shareware product like F-PROT or SCAN. If it's a new virus strain, you'll need as new a virus scanner as you can get. Brian ------------------------------ Date: Fri, 18 Nov 94 03:37:26 -0500 From: Zvi Netiv Subject: Re: HELP! Stoned or Monkey? (PC) -=> Quoting Steve Leung to All, on Fidonet <=- SL> Ok, I've got a problem. Here are the highlights... SL> - F-prot reports Stoned virus SL> - McAfee reports Monkey SL> - neither can detect it on the hard disk SL> - when rebooting clean (from floppy), cannot find hard disk (ie. SL> partition table gone) even with DOS 6.0 SL> - 2KB less of conventional (637) SL> - QEMM reports 4K less in mem check SL> - does not say "Your computer is now stoned." SL> So, do I actually have a virus, or is it just teasing me? Hello Steve, No doubt, your computer is infected with Stoned.Empire.Monkey, the full CARO name of the virus. That would explain the confusion in names; they are all right (F-Prot should indicate "a variant of Stoned"). It's quite easy to remove Monkey (the more common name), if you understand how this virus works. You can do it blind-folded, with any program that backs-up track 0, or actually see what you are doing, step by step, with ResQdisk, from InVircible. Monkey overwrites the original partition sector, and this is why you can't access the hard disk when booting from a floppy, and relocates the original one to sector 3, after encrypting. Monkey also uses stealth, to hide the swapping of the two sectors. Please be careful NOT TO ATTEMPT FDISK/MBR, with Monkey, you will totally loose access to the hard disk! It's worth having a look on Monkey with the Anti Virus Practice Lab. It will also remove it, as a complimentary service. AVPL 1.01 is available from netcom or my ftp. Go to ftp.netcom.com/pub/antivir/invircible or to ftp.datasrv.co.il/user/netz. In both you'll find AVPL as well as the latest freeware version of InVircible. Regards, Zvi Netiv, InVircible ------------------------------ Date: Fri, 18 Nov 94 03:40:05 -0500 From: jvizcain@colibri.tid.es (Javier Vizcaino) Subject: Happy birthday PC virus. Please help! (PC) I have been asked about a PC virus playing "Happy birthday" from time to time, which resists detection (several antivirus dated moreless mid 94). Does anyone know? Javier Vizcaino. jvizcain@colibri.tid.es Madrid, Spain. Fax: +34-1-759 53 85 ------------------------------ Date: Fri, 18 Nov 94 07:17:23 -0500 From: pein@informatik.tu-muenchen.de (Ruediger Pein) Subject: Re: ZIFF Verlag (PC) claude@bauv111.bauv.unibw-muenchen.de (Claude Frantz) writes: |> I got an information saying that the german ZIFF Verlag has distributed |> a diskette or CD-ROM including a virus in the boot sector. |> |> Is this information true ? Please give me more information on |> this subject. |> In issue 10/94 the floppy distributed with the magazine contained a virus (don't know which one at the moment). In the next issue they wrote an excuse to the readers... Didn't get it, so I can't say any more about that. - -- Ruediger Pein (pein@informatik.tu-muenchen.de) Hi! I'm a .signature virus! Add me to your .signature and join in the fun! ------------------------------ Date: Fri, 18 Nov 94 07:51:40 -0500 From: zimmerms@informatik.tu-muenchen.de (Stephan Zimmermann) Subject: McAfee fails ! (PC) Damned programm ! Version V200 worked realy well, but any later version reports Found traces of "" in memory. Always while scanning memory at 800K. This apears only if DOS 6.2 is in UMB and EMM386 is loaded (but this what I want to). Also a new bootable floppy doesn"t remove thir error. Same situation on other 2 PCs, programm working correkt on 10 PCs ... What can I do, OR is there a bugfree McAfee version other than 1.17 and 2.00 ? Tschuess Stephan. - -------------------------------------------- So the only thing left for me to do is danga-ding-dang my danga-long-ling-long - -------------------------------------------- ------------------------------ Date: Fri, 18 Nov 94 08:00:25 -0500 From: "Geordie (MartyChops)" Subject: Re: Removing boot sector virus from B: (CANSU/V-sign) (PC) On 15 Nov 1994, Charles Owen wrote: > Russell Owsianski wrote: > )Hi all, recently, I found a boot sector virus on a 3.5" floppy. Scan211e > )calls it CANSU, fp214 calls it V-sign. Neither scan211e /clean nor > )clean117 can remove it. :( > ) > > I was also recently infected with CANSU which is what Norton AV > called it. I cleaned it just fine, but am wondering what CANSU > does? Could it have caused problems in the system? > > We got it because my wife formated a disk at a school where she > teachs a class on a machine found to be infected. When she booted > with the floppy in by accident it infected the machine. Ctrl-Alt-DEL > will infect any floppy in the drive, BTW. I also have had the CANSU virus on my machine, and I used McAfee anti-virus clean115 to remove it, it had no problems removing either from the boot sector of my hard disk or from the floppy that originally infected the machine. The only effect of CANSU (Alias V-Sign) is that it currupted my file allocation table and directory structure. This was seen by the fact that my DOS undelete sentry directory became unhidden and when i changed to that dir, it showed my the contents of the root directory. I also belive it cause a few lost clusters. It is memory resident and if ignored can have a serious effect on the HD of the machine. It's code is quite simple as i cracked the code using a boot sector editor. I would be interested in anyone else who has had this virus and how they delt with it. Please mail me: Martin Rowan, 1st year Computer Hardware Software Engineering at: Coventry University England mrowan@coventry.ac.uk ------------------------------ Date: Fri, 18 Nov 94 00:04:09 +0300 From: Kazatski Oleg Nikolaevitch Subject: TBAV 6.26 and virus "Ilja" (possible false alarm) (PC) Hi ! TBAV 6.26 finded the virus Ilja: D:\TEST\CRYPTODR.COM infected by Ilja virus Heuristic flags: c c No checksum / recovery information (Anti-Vir.Dat) available. The file CRYPTODR.COM is "PRO_Crypto-driver (C) Copyright 1993, Moscow" program. I can not find any viruses in this file. Posslible this is a false positive. P.S. This file contains the string "CRYPTO-Driver v1.04" in the begin. (offset +3, after JMP adress). - --- OK ------------------------------ Date: Fri, 18 Nov 94 08:53:31 -0500 From: sromeo@viagene.com (Steve Romeo) Subject: Re: NAV 3.0 updates ? (PC) dolson@shore.net(Don Olson) wrote: > Is there a site that carries them thar updates?? > - -- Try Compuserve....it's there, I just picked it up... - -- Steve Romeo Information Systems Administrator Viagene, Inc. ------------------------------ Date: Fri, 18 Nov 94 11:01:33 -0500 From: dominik@amiserv.xnet.com (William Callahan) Subject: Update strings ? (PC) for several AV packages on both the PC and Mac platforms. If anyone could tell me of sites where they could be found please send me E-mail. Thanks. Bill Callahan - -- ,,.....,......,.Dominik Fate Protects Fools, Children, And Ships Named ENTERPRISE - Cmdr. William T. Riker Subspace comsat 36521...,.,,,.......,,,,,...,....,,.,.,.....,,,. ------------------------------ Date: Fri, 18 Nov 94 11:54:45 -0500 From: Richard Bondi Subject: NCSA _does_ have Viking virus info (re earlier post) (PC) Dear Net, In an earlier posting I reported that the National Computer Security Association were not able to provide with any information on the Viking virus. They have since done so in extensive detail, and I recommend their resources to the net. Yours, Richard Bondi ------------------------------ Date: Fri, 18 Nov 94 14:01:00 -0400 From: duck@nuustak.csir.co.za (Paul Ducklin) Subject: re: Surviving cold boot? (PC) >Are you claiming that if I put a clean bootable floppy in the A drive >and power down the computer and then power it up that EXEBUG can >survive that? Not *actually* -- but the overall effect is exactly that. EXE_bug manipulates the CMOS setup so that drive A: is marked as "not installed". Some BIOSes (especially one of the most popular ones round here...), during bootup, take this situation seriously. "Why even try to boot from a drive which doesn't exist", they say, and boot from the hard drive instead. You can check your BIOS to see if it would be fooled by EXE_bug. Just mark A: uninstalled, put in a clean boot disc and hit the button. Chances are that your PC will simply boot from the hard disc, ignoring the floppy just as though you'd set the boot sequence to "C: A:". With EXE_bug on the hard drive, things are different. The virus itself pinches 1KB at the top of DOS memory, and makes itself comfortable there. Then it sees if there *is* a floppy in A:, and boots from it if there is. The effect is as though the bootable partition is on floppy, not on the hard drive. So you've booted from the hard disc, although it looks as though you booted off floppy. Actually, of course, you booted off both, but people tend to assume that any bootup involving floppy access is "clean by definition", which it obviously needn't be. EXE_bug does not survive a cold boot. But it successfully reloads itself into memory, even when you think you've done a clean cold boot. [Note: to boot clean with EXE_bug, rectify the CMOS drive setup first. But be sure the boot sequence is set to "A: C", too. Normally, if you have the boot sequence wrong, you'll simply fail to boot from floppy. With EXE_bug, the trick of "bootable partition on floppy" means that you may seem to boot clean even though the boot sequence is not set that way. Naturally, in such circumstances, you don't actually boot clean at all. Now you know why I believe that the BIOS manufacturers should remind you how the boot sequence is set every time you boot up...they tell you what I/O ports your printer card is using -- why not tell you how the boot sequence is set, too?] Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@nuustak.csir.co.za / / CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: Fri, 18 Nov 94 15:15:34 -0500 From: webstes@iia.org (Scott D. Webster) Subject: Re: INFO WANTED: Junkie.Boot virus... (PC) The campus computer lab where I work has also expirience an invasion of the JUNKIE virus. We also had trouble getting it out of the boot record with mcafee scan. We called around and found out that Norton AV would do the job, and it worked pretty well. There were a few (very few) cases where it didn't work. - -- Scott D. Webster Junior, Computer Science - William Paterson College webstes@iia.org ?????????????????????????????????????????? scottw@deathstar.wilpaterson.edu ?? How many wigs would a whizzywig whiz ?? finger the above address for a ?? if a whizzywig could whiz wigs? ?? list of URL's ?????????????????????????????????????????? ------------------------------ Date: Fri, 18 Nov 94 18:48:02 -0500 From: "Chad J. Potinsky" Subject: RE: Differences between McAfee Products? (PC) >> Date: Mon, 07 Nov 94 14:35:12 -0500 >> From: etate@mcl.bdm.com (C. Emory Tate) >> Subject: Differences between McAfee products? (PC) >> >> Could someone please enlighten me as to the difference between >> McAfee's VirusScan 117 products and their 2.1.0e products? I do most of the Anti-Virus tasks on our server here at Ferris State University, and I have currently obtained the newest McAfee product, Scan 2.1.212E. We had currently been using the SCAN 117 versions of there product. When I looked into the newer version, from what I could gather is that McAfee is planning to "phase out" the SCAN 11x series of virus programs (this includes the clean 11x also). Why is this, I am not sure! The SCAN 2.1.212x series is the latest program by McAfee that is supposed to be more effective, and faster. The feature that I personnally like about it is that the SCAN and CLEAN are both included in the same program, and it also automatically cleans the virus found without entering the name of the virus (not sure that the this was possible with the 11x series) which makes it much more convienient. Thank You, Chad J. Potinsky Ferris State University College of Technology Student/Computer Systems Integrator E-Mail Name: POTINSKY@COT01.FERRIS.EDU Thought for the day: Concerto (n): a fight between a piano and a pianist. ------------------------------ Date: Fri, 18 Nov 94 19:13:42 -0500 From: ajmor5@giaec.cc.monash.edu.au (Andrew Morrissey) Subject: Re: Anti CMOS virus - help! (PC) Simon_Cheung@kcbbs.gen.nz (Simon Cheung) writes: >Scan V.2.1.1. had found the "Anti CMOS" virus on one of my systems. >While Scan is able to identify the problem, it couldn't remove it as >yet. As far as I have learn form Scan, this infects the master boot >record of the system. > >Does anyone know more about what harm this virus could do, and more >importantly, how to remove it? I really want to hear from you. > >Any help greatly appreciated! > >S.C. I had the Anti Cmos A virus on one of my floppy disks, which Mcafees Virus Shield warned me about. The only way I could get it off was to move all my files off the floppy, format the disk, and move the files back on the floppy. So if it infects the hard drive.... well... maybe this is the only way to go, unless there is other methods? ------------------------------ Date: Fri, 18 Nov 94 19:17:15 -0500 From: ajmor5@giaec.cc.monash.edu.au (Andrew Morrissey) Subject: Re: Boot sector virus won't die (PC) hiwire@solomon.technet.sg (Lim Beng Cheng) writes: >I believe your problem could be that you didi not boot up from a clean >disk. The correct procedure is to boot from a clean system disk with the >same DOS version (write-protect your diskette). Then type Just a quick question about booting from a clean disk, will booting up and pressing F5 on bootup (to bypass a lot of stuff) mean booting clean? My guess is that it won't because it still has to load command.com, and if it is infected, this won't help. But if the virus is in, say, emm386.exe, then this will bypass it. Am I right here? ------------------------------ Date: Fri, 18 Nov 94 22:05:25 -0500 From: dmj@panix.com () Subject: Doom1.6bt and viruses? (PC) Well, my the other day I started my PC and it would not boot up. So I called a tech we use and he took it to his shop and reported that the chip was blown and that the hard drive was no good. Perhaps, there is no connection here, but were there any viruses out there linked to the Doom1.6bt version. Can a virus destroy a PC's chip? and destory a disk beyond repair via reformatting? BTW my PC had 486DX-33 without a fan cooling the chip (just one fan for the power supply). - -thanks for any and all input. - -- --- --- --- ---- ---- Jon Decker - ---- ---- It's bending my mind. dmj@panix.com ------------------------------ Date: Sat, 19 Nov 94 00:56:28 -0500 From: clbao@unm.edu (Cailong Bao) Subject: Help, how to remove One_Half virus from MBS of hard disk? (PC) Hi, netter: My computer is infected by One_Half virus. I used f-prot to scan the hard disk and can remove the files infected by this virus. But f-prot can not remove it from MBS of hard disk. Can anybody tell me how to remove it from MBS of hard disk? Thanks in advance Cailong ------------------------------ Date: Sat, 19 Nov 94 09:50:53 -0500 From: mcdonoup@coral.indstate.edu (Paul McDonough) Subject: Re: DOOM II (PC) >DOOM II is distributed in a shareware package. >I believe there have been at least 3 separate incidents of DOOM II packages >being infected and redistributed. I am not familiar with how DOOM II is >packaged. I wish they would have had some built-in self-checks to prevent >this type of attack. >Jimmy >Norton AntiVirus Research Once again, it needs to be said. DoomII is not distributed in a shareware version. Viruses occur when people use "borrowed" versions of the program. For the benefit of our listening audience, Do you really think a software company would be lax in virus monitoring (let alone intentionally place on there???). Come on people, hardware problems occur. It's easy to blame it on a virus. Also, if you are going to use software from an "alternate source", be smart enough to use a scanning routine that you know works. Enough said. Paul ------------------------------ Date: Sat, 19 Nov 94 16:03:32 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: RE:FLU-SHOT (PC) dsmith@cusd.eds.com (Darrin Smith) 16 Nov 1994 14:52:51 Wrote: > A few years ago I purchased an anti-virus program known as FLU-SHOT. This > product did not scan for viruses, but rather intercepted writes to > executable files. Yes, it was one of the first programs who deal against viruses. > > Does anyone know if the company that wrote this is still in existance? As far I can see the owner of the company is (was) Ross Greenberg and now he is purchasing into market a new product called Vir-x. The company has now a new name "Datawatch" and FAX number is: - 001 (919) 549 0065. (Please some one of the crowd correct me if I'm wrong) Kind Regards Ruben Arias - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 19 Nov 94 18:48:54 -0500 From: sshortal@iol.ie (Seamus Shortall) Subject: solomons causes GPF's & slows program loads (PC) I'm using Solomon's GUARD 4.2 TSR & have the following problems: 1: It causes GPF's in Netmanage's Chameleon Mail program. 2: My terminal emulator program takes 3 times longer to load. Does anyone know if this is specific to this version & should I look for an upgrade or a different product? Seamus Shortall, Dublin, Ireland ------------------------------ Date: Sun, 20 Nov 94 01:15:05 -0500 From: phyto@leonis.nus.sg (Dr. Thomas Osipwicz) Subject: Lenart Virus (PC) Some of my diskettes are infected with Lenart virus. It can be detected using CPAV (Centre Point Anti virus). After I clean them with CPAV, the diskettes cannot be read. I used DiskFix to fix the diskettes but only some of them can be saved. Lenart virus could not be detected using McaFee scan115 ? Can somebody tell me where to download the lastest version of McaFee virus scan software ? Thank you Thomas ------------------------------ Date: Sun, 20 Nov 94 01:36:54 -0500 From: Bank of America Subject: Most frequent viruses? (PC) Is there some easily available source listing the 10 (or 25 or 30) most frequently encountered viruses on (1) PC's and (2) Macs in the last few years? Can someone supply reliable estimates of the number of PC's and the number of Macs infected with viruses in the period 1990-94? Thanks, Larry R. White Bank of America techlib@class.org ------------------------------ Date: Sun, 20 Nov 94 11:23:15 -0500 From: sshortal@iol.ie (Seamus Shortall) Subject: Re: Virus named Jack Ripper (PC) dtheo1@umbc.edu (theo dino) wrote: >I just had to deal with Ripper here at work. It is a >master boot record infector and it can be destroyed by I found the same virus on a visiting consultant's portable. McAfee identified it by name and classified it as [genp]. Clean /[genp] got rid of it. Have you any idea about its transmission method (seems to be via boot-sector) and activation symptoms? The source was identified as being a floppy that was being used to exchange data files between two machines, the disc had no executables on it. Seamus Shortall, Dublin, Ireland ------------------------------ Date: Sun, 20 Nov 94 16:17:48 -0500 From: Jeffrey Rice Subject: Disabling TSRs (PC) I posted this to alt.comp.virus, but since there are several people here who I don't think watch that group, I thought I'd cross-post it. In the latest F-Prot Bulletin, there is a section on retroviruses. The part that specifically caught my eye was the section on Disabling TSRs through the backdoor left for the scanner. I've noticed when I run McAfee's Scan it informs me that Vshield is being disabled during the scan. I assume this is true for F-Prot as well. (One product I've used that I don't think it is true for it NAV. I don't use it as much as I used to, but I seem to remember getting intercept warnings during scanning.) And I know that CPAV/MSAV is said to be very easy to unload. According to the article, a retrovirus could use this to disable the intercept in such a way that it was either non-functional, or simply could not detect the virus. My question: How easy is this to do? Are TSRs like Vshield and Virstop still secure, or will major changes have to take place to prevent such an attack? What defense could a user mount to such an attack? For example, would not allowing the TSR to be unloaded help, or would a virus go straight through that? Would running multiple TSRs help to cover individual products "backdoors?" How can a TSR itself prevent this? Thanks, Jeff ------------------------------ Date: Sun, 20 Nov 94 17:54:20 -0500 From: Stephen Bonds Subject: Re: Disabling TSRs (PC) Normally I don't crosspost articles, but since the readership for alt.comp.virus is so low, I feel it is appropriate. This was an excellent question, and it would be nice if others from comp.virus would comment as well. (This was posted Nov 20, so if you reply more than 3-4 days from then, you might wish to include the original question so we can remember what it was.) jrice@pluto.pomona.claremont.edu (Jeffrey Rice) wrote: > I've noticed when I run McAfee's Scan, I get a message that Vshield > will be disabled during the scan. I know this is so that the TSR doesn't > interfere with the scanner if infected objects are found, but isn't this a > security hole? It can be, it depends on how it is implemented. For example, VSAFE (yuk!) hooks an interrupt which, when called, disables the TSR. Obviously a security hole and one of the many reasons why VSAFE is a piece of junk. I believe that VSHIELD includes something similar, but with authenticity verification added. Somehow, either by passing a code or whatever, the generic detection abilities of VSHIELD are temporarily disabled. In theory this could be forged by a virus "pretending" to be SCAN. In practice, this is difficult to do. VIRSTOP includes no generic detection, so the behavior of F-prot will not trigger anything in VIRSTOP. All that is needed is to encrypt the search strings so that VIRSTOP doesn't find them in cleartext in memory. > I know that "retroviruses" use techniques like this one to unload > or > disable a TSR without the user's knowledge. How hard is it to do this? How effective these tunneling "retroviruses" are against a given TSR depends primarily on the sophistication of the scanner. The TSR scanners themselves frequently use tunneling techniques themselves to attempt to hook in to a point where it is difficult to insert any additional code. For example, by calling the DOS/BIOS routines directly with a JMP instruction rather than an INT instruction. As you can imagine, compatibility problems are common, though it is nearly impossible to insert anything before this point. The problems with compatibility is why many anti-tunneling scanners offer the option to disable the anti-tunneling routines. The TSR is not "unloaded" or disabled, it simply gets fed incorrect information by the tunneling virus, since the virus inserts itself at the head of the interrupt chain, and can then control the data that gets fed to anything "downstream". Naturally the most common thing for the virus to do on a file open request is to feed the interrupt chain the opened file sans the viral code. I hope this makes sense. Tunneling is very complex and it is often necessary to oversimplify in the interests of clarity. -- Steve Bonds ------------------------------ Date: Sun, 20 Nov 94 22:38:04 -0500 From: Michael Jackson Subject: Re: Rebuilding Partition Table? (PC) Lim Beng Cheng writes: >Kevin Kenney (kenney@netcom.com) wrote: >: Since partition-table affecting viruses are becomming more common, and since >: anyone hit by a new one won't want to wait for scanners to be updated, I'm >: looking on how to rebuild a partition table, hopefully without trashing >: the disk's formatting. What tools would be needed, and do they exist, >: including in a commercial package? (What can access a C: drive the BIOS >: can't find?) I'd be willing to write such a generic tool, if pointed >: in the right direction. KpK > Kevin, The version 9 of Norton Utilities has an excellent procedure for working with disks that have had their boot sectors damaged by either a hardware malfunction or a software problem. I've use one of the methods to rebuild a Master Boot Program that had been alter due to the "Lock-out" virus. Give that a shot. To prevent another attack, there is an anti-virus program on most of the local BBS's called ThunderByte Anti-Virus that is what I call a complete system monitor. It will also "armor" the boot sector and prevent any changes unless the operator allows it. -Mike Mmrjackson@delphi.com ------------------------------ Date: Mon, 21 Nov 94 04:49:38 -0500 From: hermanni@wavu.elma.fi (Mikko Hypponen) Subject: Re: VLamiX.1? (PC) J McGrath (jmcgrath@upei.ca) wrote: > I ran F-Prot 2.14c and it told me that I was COMPLETELY infected with > the VLamiX.1 virus... > Does anyone have any information on this virus? Is it time/date activated? The VLamiX virus spread through BBS systems in August 1994 in an archive called A30!PWA.ZIP. The archive was supposed to contain the version 3.0 of the popular ARJ archiver. Robert Jung, the author of ARJ, confirmed that ARJ 3.0 has not been released. VLamiX is a simple resident file virus; it infects EXE files when they are opened, and appends an encrypted copy of itself. It uses a simple encryption routine with a 16-bit decryption key which changes between infections. However, the decryption routine does not change and it makes the virus easy to spot. The virus contains several bugs. It often manages to corrupt files irreparably instead of infecting them. The name VLamiX is taken from a text string found underneath an encryption layer: smartc*.cps chklist.* -=*@DIE_LAMER@*=- CHKLIST ??? CHKLIST.CPS VLamiX-1 VLamiX attacks CPAV and MSAV by deleting their checksum files. It also activates when it sees the text -=*@DIE_LAMER@*=- on-screen. At that time, it will overwrite a floppy in the B: drive, if such exists. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi 'Of course this system supports n\061tion\061l ch\061r\061cters' ------------------------------ Date: Mon, 21 Nov 94 08:13:33 -0500 From: Otto Stolz Subject: Re: joke named Perv -Virus?? (PC) On Fri, 04 Nov 94 21:12:30 -0500 Scott said: > I [...] found some sort of virus called "joke named Perv". Does anyone > have any clue as to what this is? Scott, as your scanner told you: you have found a joke named Perv. Has this answered your question? :-) In plain English: this is not a virus, i.e. it does not replicate. Rather, it is a joke program that somebody has deliberately copied to your network. If you have found it in a publicly accessible program area, you should definitely revise your security policies, in particular the access rights in your file servers. Best wishes, Otto Stolz >>>>> Please use only the address given above, as all Bitnet addresses >>>>> at DKNKURZ1 will expire by end of 1994, and all Internet adresses >>>>> at Nyx.Uni-Konstanz.de will do so some time in 1995. ------------------------------ Date: Mon, 21 Nov 94 08:32:54 -0500 From: jlizardi@osf1.gmu.edu (JOHANNA B. LIZARDI) Subject: Problems with NYB GENB virus (PC) Hello, I am a student and also work at George Mason University. We have had a recent outbreak of the NYB genb virus. Our V117 version of McAfee VShield would not lock up the computers once infected with the virus. We were told that it was a new genb virus, and the software could not shield nor clean it. We have gotten the latest version of McAfee, but it has failed to clean the virus from floppies, we have been able to fix the disks by doing "sys" on them. Unfortunately we still have not been able to detect the virus on some of the machines. Has anyone had experience with this virus and have any advice? Any Help would be appreciated, Thanks. J. Lizardi ------------------------------ Date: Mon, 21 Nov 94 08:53:10 -0500 From: youngcr@gvsu.edu Subject: GenB SOLVED! (PC) I had a friend who's computer was infected with it and we killed it without loosing any data at all. The first thing you have to do is to pull the batery off of the mother board. Then you have to have a CLEAN startup disk to work with. Boot the computer using the disk and use FDISK /MBR. I don't know if you have all heard of the origin of mass distribution of this lovely virus, but you can thank a company named Bikealog. Don't get me wrong, they are still a good company, they just need to check for viruses before sending out their disks. ------------------------------ Date: Mon, 21 Nov 94 09:21:13 -0500 From: weissel@sun.ph-cip.uni-koeln.de (Wolfgang Weisselberg) Subject: Re: tbav625/tbavx625 - Thunderbyte anti-virus v6.25 (Complete/Optimized) (PC) Edmund Lai (c9419008@alinga.newcastle.edu.au) wrote: : : SimTel/msdos/virus/ : : tbav625.zip Thunderbyte anti-virus pgm (complete) v6.25 : : tbavx625.zip TBAV anti-virus - processor optimized versions : : I saw version 6.26 instead of 6.25. What happened to 6.25? 6.25 got upgraded (some smaller bug-fixes and some new virus...). Now who would like an OLD anti-virus tool?? :) - - Wolfgang ------------------------------ Date: Mon, 21 Nov 94 10:07:53 -0500 From: Otto Stolz Subject: Re: Virus identification? (PC) On Mon, 07 Nov 94 03:43:55 -0500 Eric Horlait said: > I got a virus on my PC that affect the boot process. Why do you think you have a virus, at all? > It is now > impossible to boot either from a HD or a FD, whatever system I use. I guess that the BIOS setup (in the CMOS of your computer) is corrupted. This may be due to a hardware problem (such as an exhausted CMOS battery) or due to program, or user, action (the HDzap trojan, and the AntiCMOS, Exebug, Goldbug, and AntiCAD, viruses indeed corrupt the CMOS). Try to enter the BIOS setup after initial power-on (your user's manual is supposed to tell you how to accomplish this), then re-enter the cor- rect hardware configuration. Then you should be able to boot from a clean, write-protected DOS floppy, and use your favourite virus scanner (also from a clean, write-protected floppy) against your HD. When the BIOS setup is again lost, while the computer is powered-down, you should check, and possibly replace, its CMOS battery. Good luck, Otto Stolz >>>>> Please use only the address given above, as all Bitnet addresses >>>>> at DKNKURZ1 will expire by end of 1994, and all Internet adresses >>>>> at Nyx.Uni-Konstanz.de will do so some time in 1995. ------------------------------ Date: Thu, 17 Nov 94 20:07:28 -0500 From: gerard.vuille@metro-net.ch (Gerard Vuille) Subject: avp21b-b.zip - Antiviral Toolkit Pro (AVP) 2.1beta rev.B (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ avp21b-b.zip Antiviral Toolkit Pro (AVP) 2.1beta rev.B Antiviral Toolkit Pro is a powerful integrated antiviral package. Main Features: - Detection/disinfection of a great number of viruses (more than 4300), - Code Analyzer (Heuristic Scanner) - Unpacking Engine which allows virus scanning of packed files - Extracting Engine which allows scanning of archive files - Database Editor for adding detection & disinfection information of new viruses (Registered version only) - Professional Utilities and antivirus monitor (Registered version only) - Detailed on-line help with virus effects demonstration (Reg.ver. only) Version information: AVP.EXE 2.1beta (08/26/94) Virus Base rev.B - November Edition (11/04/94) Antiviral Toolkit Pro, by Eugene V.Kaspersky (c) 1992-1994 KAMI Corp, Russia ShareWare. Uploaded by the Swiss distributor. Gerard Vuille gerard.vuille@metro-net.ch ------------------------------ Date: Thu, 17 Nov 94 20:21:41 -0500 From: mrgalaxy@ix.netcom.com (Patrick Harvey) Subject: ansichk9.zip - ANSI bomb and bad batch file detector (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ ansichk9.zip ANSI bomb and bad batch file detector ANSICHEK Version 9 detects ANSI BOMBS that could redefine YOUR keyboard to do terrible things. ANSI bombs are embedded codes usually found in a text file that when activated redefine the keys of your keyboard to do various things. Imagine hitting the key and suddenly finding your hard drive reformatting itself! ANSI BOMBS are usually activated when someone does a "TYPE filename" of a file with embedded ansi codes. These codes can redefine 1 or MORE of your keys to do various things. This program also allows a user to safely view and translate ANSI bombs found in text files. Although this program was written with the BBS sysop in mind, many will find it to be useful. If you handle suspect text files, this program is for you. As an added bonus, this program also points out possibly dangerous batch files and even lets you know when profanity is detected! Some hackers have even knocked out some BBS's with ANSI bombs. FreeWare. Uploaded by the author. Patrick Harvey mrgalaxy@ix.netcom.com mrgalaxy@aol.com ------------------------------ Date: Fri, 18 Nov 94 02:27:40 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.15 is out (PC) 2.15 is now available from oak.oakland.edu and other SimTel mirrors. - -frisk - ------------------------------------------------------------------------------ Version 2.15 - major changes: There are no major changes in this version. Version 2.15 - the following problem was found and corrected: VIRSTOP used to conflict with a program called HARDLOCK, and would halt the machine, claining it to be infected with a boot sector virus, if that product was installed. This could be bypassed by running VIRSTOP with the /NOMEM switch, but VIRSTOP is now able to recognize this situation. Version 2.15 - minor improvements and changes: The program will now refuse to operate if it is more than 12 months old. It can be used in an emergency, by changing the system date, but we *stongly* recommend that the user obtains an updated version instead. Version 2.15 - new viruses: The following 41 viruses are now identified, but can not be removed as they overwrite or corrupt infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of..." Burger.560.AU Copyprot Crazy_Lord ExeError HLLO (4505.B, 4742, 7392 and RUW) Human_Greed KI Ku Marked-X.355 Rythem (1818 and 47857) Trivial (22, 26.C, 29.E, 30.H, 34, 40.G, 85, 90, 97.A, 97.B, 146, Banana.B, Banana.C, Banana.D, Banana.E, Banana.F, Banana.G, Banana.H, Banana.I, Banana.J, Banana.K, Banana.L, LSD and Vsafe) VCL (663, Mindless.423.C and Viral_Messiah.703) The following 207 new viruses can now be detected and removed. Many of these viruses were detected by earlier versions, but are now identified accurately. _200 _361 _386 _503 _310 _351 _554 _797 _908 Abal Acid AEP Anti-Pascal_II.407 Arianna (3375 and 3426) Ash (743.B, 743.C, 743.D, 743.E, 743.F, 743.G, 743.H, 743.I, 743.J and 743.K) Atomic_comp Bootexe.207 BW.373 Cait Cascade (1704.V and 1704.X) Casino.D Cetenary Chaos.1241 Clogg Clonewar.547 Coke Dark_Apocalypse.1016 Dementia.609 Dinky.122 Dry_Dream Enculator ESP Fax_Free.1024.I Grog.566 H_Andromeda (800, 1024.B, 1024.C) HDZZ Hehehe Hello (400 and 600) Hellspawn HLLC.Tree2 Howard Hwang Hymn.Sverdlov.B Intruder.1331 Inv_Evil IVP (Becky, Darlene, Roseanne and Sonic) JD (158.B, 158.C, 158.D, 158.E, 158.F, 158.G, 158.H, 158.I, 158.J, 158.K, 158.L, 158.M, 158.N, 158.O and 158.P) Jerusalem (Anticad.4096.J and Sunday.N) Kato King (1424 and 2175) Klot Kohn_6.633 Koko Komp Leandro Lemming.2146 Lockjaw (507, 573 and 887) LordZero Mange_Tout.1091 Marzia.N Mohova Murphy (Migram.1221.B, Migram.1221.C, Migram.1221.D, Migram.1221.E, Migram.1221.F, Migram.1221.G, Migram.1221.H, Migram.1221.I, Migram.1221.J, Migram.1221.K and Migram.1221.L) Natas.4988 NeverOne November_17th.768.D Npox (963.C, 963.D, 963.E, 963.F, 963.G, 963.H, 963.I, 963.J, 963.K and 963.L) Offspring.711 One_Half (3544 and 3577) Pollution Proto-T.1052 Protovirus PS-MPC (569.D, 803, Anarchist, Guten_Tag, Joana.1075, Skeleton.601 and Toys.763) Pure (A and B) PVW Raptor.C School_Sucks Semtex (515 and 686) Shake.C Shark.1661 Shutdown (644 and 698) SIC Slam Slimline2 Small_Comp (88, 92, 100, 1001.A and 101.B) SRC SRP Sterculius (240, 266, 273 and 428) STSV (C, D, E, F and G) Sundevil.762 Suomi.B Tadinho Timid.300 Tiny_Family.137 Tony.203 Traceback.3066.B VCL (337, 389, 405, 535, 2805, Code_Zero.654, Dial.600, Dominator, Donatello.831, Earthday.799, Genocide, Kinison.809, Nomemn, Olympic.1442, Pearl_Harbour.931, Taboo and Timothy) VHX (322, 462 and 514) Vienna (Ambalama, BNB.B, BNB.C, BNB.D, BNB.E, BNB.F, BNB.G, BNB.H, BNB.I, BNB.J and Black_Ice) Voronezh (600.B and 1600.B) XPH.1032 YB.425 ZP The following 34 new viruses are now detected but can not yet be removed. _1492 Am Australian_Parasite (369.B and 424) Beer.643 Boot-446 Butt Bye Cacophony (944 and 1050) Catholic Crazyboot Daddy (1093 and 1117) Dark_Avenger.1000 Democracy.3806 EndOne Froll Geldwasch Grog (1200 and 1349) Hello.402 Lisa Manic Moonlite.465 Neuroquila Newbug Oracle Raver Roma Taz.1087 Verify Vienna.Variable.906 Virogen The following 4 viruses which were detected by earlier versions can now be removed. _189 Honey Techo_Rat W-Boot The following viruses have been renamed: _638 -> Kohn_6.638 _1099 -> Mange_Tout.1099 Mayberry.* -> BW.Mayberry.* Trickster -> Shark.1661 ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 97] *****************************************