VIRUS-L Digest Friday, 16 Dec 1994 Volume 7 : Issue 99 Today's Topics: Re: What's a Logic Bomb ? Virus Signature Extractor Virus in gifs, jpegs? HELP-Omega (PC) McAfee 2.11 (PC) McAfee Products, Differences of (PC) ux.7264 virus (PC) virus - problem? (PC) Info on Stealth_Boot.C (PC) Re: Virus Signatures needed. (PC) Re: What can a virus do ? I need HELP! Please (PC) Norton Anti-Virus - How good? (PC) Remove Monkey from all drives (PC) Virus Lab (PC) Virstop in Windows (PC) Stoned.Empire.Monkey.B -->was Re: THANKS!! Re help with FORM (PC) Re: Unknown Virus?? (PC) Re: DOOM II (PC) Re: "antiexe" virus (PC) WIN.COM modification (PC) Seeking info on "Filler" virus (PC) Unknown problem (PC) Is it a Virus? (PC) F-Prot Professional versus F-Prot Shareware (PC) Do I have an infection? (PC) Various, for Virus-L digest (PC) Form virus (PC) Mustafa Stack - Virus ?? (PC) FILLER and ISRAELI BOOT (IBOOT) Viruses (PC) HELP! My PC seems to be infected. (PC) ANSI Bomb? (PC) Monkey Virus ****** Possible FIX (PC) Omicron PT (PC) Doom II Virus (PC) hidden file: SMARTDR.EXE, Autoexec.bat modified (PC) Re: Mouse ports (PC) Infection with Natas4744/4746 via free disk (PC) How to get rid of RIPPER (PC) Michelangelo(?) virus bypasses bios test (PC) NATAS Alert! (PC) pklite (PC) Possible WP 5.1 for DOS (PC) virus?? (PC) Re: Differences between McAfee products? (PC) i_m231c.zip - Integrity Master 2.31c antivirus/data integrity (PC) cm8104e.zip - ChekMate known/unknown virus detection utility (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 26 Nov 94 22:49:24 -0500 From: Michael Jackson Subject: Re: What's a Logic Bomb ? Billy Nadeau writes: > I don't know everything abouth virus and bombs, but I know how to avoid >ansi bombs and I use VShield against viruses. OK on the ansi bombs, put find another virus protection program. I recommend either F-Prot or TBAV, either one is far superior to anything McAffee puts out. > But I don't know what's a Logic Bomb. Can anybody tell me what it is >and how it strikes ? A rather broad question. Generically speaking, a logic bomb is a program or a subroutine within a program that activates when a certain set of conditions are met. The more common type is the accountant that causes the entire net to shut down if their employee number is deleted from the payroll records, meaning they've been fired. That sort of thing. Talk at 'cha later <:) -Mike mrjackson@delphi.com ------------------------------ Date: Mon, 28 Nov 94 23:46:41 -0500 From: stevet@fujitsu.com (Steve Tamanaha) Subject: Virus Signature Extractor I am looking for a program to extract virus signatures from infected files. e-mail reply preferred: jims@fsba.com ------------------------------ Date: Fri, 02 Dec 94 11:18:22 -0500 From: "Dana R. Billig" Subject: Virus in gifs, jpegs? Just a question. In one of the other newsgroups, someone posted a message to warn of a virus which he called the VD virus. The poster, who did it anonymously, claimed that the virus is encoded into gifs, jpegs and other graphics files. Supposedly when the skin tone color is 30% or greater, "it goes to work on your hard drive." [Moderator's note: Sounds like a hoax to me...] I did not think this was possible. If anyone knows other wise, or has heard of this virus. Please post, or email me with any info. This is all the information that I have about it. Thanks in advance. ########################################################################## # Dana R. Billig # I shall never forget that the probability # # drbill@planetx.bloomu.edu # of a miracle, though infinitesmally small, # # # is not equal to zero. # ########################################################################## ------------------------------ Date: Fri, 25 Nov 94 00:12:54 -0500 From: "Leblanc, Diane" Subject: HELP-Omega (PC) We've had some unfortunate luck on our Novell 3.11 LAN, it's been infected by Omega, Uruguay and another that I think is called Key-cap. Please don't ask how it happened, it's a long story! Does anyone have a fix or know where we can get a fixes for these viruses? TIA. *********************************************** Diane Leblanc Canadore College North Bay, ON Canada leblancd@cdrive.canadorec.on.ca *********************************************** ------------------------------ Date: Fri, 25 Nov 94 02:30:25 -0500 From: kellogg@netcom.com (Lucas) Subject: McAfee 2.11 (PC) For those who've experienced some difficulties with with their network flags, upgrade to 2.13, as McAfee corrected an earlier problem. kdl ------------------------------ Date: Fri, 25 Nov 94 02:40:02 -0500 From: kellogg@netcom.com (Lucas) Subject: McAfee Products, Differences of (PC) The 1xx series of McAfee is part of the "Classic" product line, or products built around their first generation of detectors, removers, etc. 2.x is their new generation of software, which uses more sophisticated techniques in detection/removal, and is enhanced for size and speed. kdl ------------------------------ Date: Fri, 25 Nov 94 04:13:19 -0500 From: Henning Lang Subject: ux.7264 virus (PC) on one of our student pc Mcafee's scan discovered a virus konwn as ux.7264 but none of our virus scanners is cabable of giving any information about that virus. Is there anyone who can enlighten us with such an information. Henning Lang Niels Brock - Business College Copenhagen, Denmark ------------------------------ Date: Fri, 25 Nov 94 07:01:20 -0500 From: brendle@ise.ise.fhg.de (Axel Brendle) Subject: virus - problem? (PC) Sorry, if this is a FAQ but I'm not always reading this newsgroup. We have some problems in windows, with mouse starting to mark text icons and so on. Somebody told me that tere is a virus out there that has this affect. If it is one, what can I use to detect and remove it (McAfee isn't finding anything). Thanks for your time. Axel Brendle ------------------------------ Date: Fri, 25 Nov 94 10:46:20 -0500 From: Janet Blackburn 5-3861 Subject: Info on Stealth_Boot.C (PC) Greetings. I would appreciate any info on the Stealth_Boot.C virus. Thanks, Janet jblackb@aeha1.apgea.army.mil ------------------------------ Date: Sat, 26 Nov 94 01:59:30 -0500 From: Michael Jackson Subject: Re: Virus Signatures needed. (PC) Randall Bollig writes: >Hello all, > >I'm working on a system security project and need about ten virus >signatures that scanners would use to identify a potential virus. Where >can they be found? Randy, I have a registered version of ThunderByte (TBAV), and can extract signatures. Here are the 10 signatures and the names of the viruses: VCL 86 F6 91 91 E8 F9 01 PIXEL 50 B8 00 F0 8E MICHELANGELO C0 8E C0 CD 13 0E 1F B8 01 02 GREEN CATERPILLAR 06 1E 8C C0 0E 07 GOTCHA 5D 81 ED 03 01 E8 ED 02 MINI 8A 80 BD 01 88 80 C8 01 43 E2 F5 STEALTH B A3 13 04 B1 06 D3 E0 8E C0 C7 06 4C 00 82 TEN BYTES 5 E8 5D 00 80 3E 49 03 FF 74 03 EB 6F BLACK MONDAY 25 CD 21 A1 0A 00 BB 80 00 8E C0 RUSSIAN TINY B8 CC 4B BF 00 01 8B 75 02 03 F7 CD 21 Hope this helps -Mike mrjackson@delphi.com ------------------------------ Date: Sat, 26 Nov 94 02:24:45 -0500 From: Michael Jackson Subject: Re: What can a virus do ? I need HELP! Please (PC) "Jim Bennett" writes: >My question, can a virus survive a HD reformat or does that remove it from >the system entirely? Formating a HD will remove any trace of a virus. >Can a virus infect the electronics of the PC for example live within BIOS or >some other location? The PC I am using has flash BIOS which can be written >to. I have also considered that maybe my install disks are infected thus >doing more harm than good but I have not checked them yet. In addition, what >is a good anti virus program to use? Any suggestions? Althought the virus writers have been working on viruses that reside in the BIOS, they have found that they would be too system specific. Not all computers use a flash BIOS, so the virus would have to travel far and wide before it did any real infecting. It sounds like one of your install disks are infected. This is not the first time it has happened. My suggestions for an AV program are F-Prot (freeware for personal use) and Thunderbyte (shareware). Either of these can be found on a local BBS. Good luck. -Mike mrjackson@delphi.com ------------------------------ Date: Sat, 26 Nov 94 04:58:24 -0500 From: arf11@columbia.edu (Adam Robert Fields) Subject: Norton Anti-Virus - How good? (PC) The subject line says it all... How does Norton stack up against the various scanners/cleaners available commercially or via ftp? I recently had an outbreak of the Junkie Boot virus, and the new Norton defs (Nov 94) were able to detect and clean it (at least it said it did), but this attack has left me wondering. All I have to go by is the assurance of the scanner that the virus has been wiped out. Any opinions? - Adam *-- "The Buddha: The gearshift of your brain." **>> arf11@columbia.edu *>> Affiliations: The Church of the Subgenius, The Discordian Society *>> The Philolexian Society, Horizon's Edge Enterprises, Alpha Delta Phi Login time:Sat Nov 26 03:15:55 EST 1994 ------------------------------ Date: Sat, 26 Nov 94 13:32:24 -0500 From: Zvi Netiv Subject: Remove Monkey from all drives (PC) Hello, A constant "star" on this echo is the Monkey boot-mbr virus. Monkey is more problematic than other mbi since it affects all the hard drives that are installed in the machine. Monkey can be removed by some products, but when doing so the higher drives may become inaccessible. XMonkey is an utility I wrote to both disinfect all hard drives from Monkey and to recover access to the higher drives, in case inappropriate disinfection procedures (or means) were used. XMonkey handles automatically up to eight chained drives. XMonkey uses InVircible's SeeThru technology and can therefore be run directly from the infected hard drive itself. It can also be used from a floppy, after booting from clean DOS. XMonkey will NOT restore access to a drive that was mis-manipulated by FDISK/MBR. XMonkey is donated to the public domain. It is available for anonymous ftp from: ftp.netcom.com/pub/antivir/invircible/xmonkey.zip or from the author's ftp: ftp.datasrv.co.il/user/netz/xmonkey.zip. There are other titles available for ftp, in the same directories. Zvi Netiv, InVircible NetZ Computing Ltd. Israel Fax: +972 3 5325325 ---------------------------------------------------------------------- ------------------------------ Date: Sat, 26 Nov 94 16:03:58 -0500 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: Virus Lab (PC) Zvi Netiv wrote > AV Lab is based on real virus like scenarios, with synthesized and > some real, but emasculated viruses. The safety of AV Lab is in the > incapability of its works to escape in the wild. It can be played only > on the machine that the AV Lab operates from, and its doings cannot > propagate from one machine to another. Zvi: This sounds all well and good, but what is to prevent Hackers from placing Fangs in these viruses, or adding real viruses into Virus Lab then distributing the modified archive to other BBSs? Bill 9CCD47F3C765CA33 bill.lambdin@pcohio.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * Are computer viruses cybernetic organisms? - --------------------------------------------------------------- PC-Ohio PCBoard PO Box 21411 The Best BBS in America South Euclid OH 44121 DATA: 216-381-3320 pcohio.com FAX: 216-291-2685 - --------------------------------------------------------------- ------------------------------ Date: 26 Nov 94 15:49:47 -0600 From: dargan@cobra.uni.edu Subject: Virstop in Windows (PC) Will Virstop.exe (F-Prot) work under Windows 3.1? If so, can it be loaded into high memory? -- ************************************************************************** Michael J. Dargan Baker 219 English Department University of Northern Iowa Office: 319 273 5969 Home: 319 268 0880 ". . . the innumerable meaner creatures, the lizard and the frog, the insect and the worm--have tenure in the land." N. Scott Momaday, *House Made of Dawn*, c. 1965. ************************************************************************** ------------------------------ Date: Sat, 26 Nov 94 17:15:02 -0500 From: dave@lydia.bradley.edu (David Rybolt) Subject: Stoned.Empire.Monkey.B -->was Re: THANKS!! Re help with FORM (PC) |hatcher@mn.ecn.purdue.edu (Stephen D Hatcher) writes: |Actually, I used F-Prot to remove it successfully. This AV |recognized it as "Stoned.Empire.Monkey.B". This virus is |running mad through the PC nets at Purdue University. The |Administration are apearently having a hard time stopping it |as it has been a problem for over a year-- according to my |research. F-prot 2.15 is also killing Stoned.Empire.Monkey.B off of plenty computers here at Bradley University. However, after it removes the virus (from either hard or floppy disk), I do a scan on the disk again, and then it sometimes finds the Form virus. It does this on both hard drives and floppy disks. Does the Form virus hide behind the Monkey virus somewhere? Or does F-prot maybe leave some remnants of the monkey virus behind? Either way, be on the lookout for the form virus whenever you find the monkey virus. Disinfecting floppies twice with F-prot 2.15 usually eradicates the virii with no problems. And disinfecting hard drives (Rebooting with a clean bootable write-protected floppy both times) twice almost always works too. I've thought about making up some bootable floppies that automatically run killmnk3 and then f-prot to speed up the process of scanning a lab of PC's. Does anyone see any harm in this? Thanks for any info! Dave ------------------------------ Date: Sat, 26 Nov 94 22:24:48 -0500 From: Michael Jackson Subject: Re: Unknown Virus?? (PC) William Becker writes: >My roommate and I suspect that our systems have been infected by a >currently uncataloged virus. Neither nav 3 w/ oct defs, msav, or scan 117 >can detect anything is wrong but, here's our symptoms: It looks like you've been hit by the "Hellraiser" virus. I ran a copy of it by NAV, Scan, Thunderbyte, and F-prot. NAV and scan never saw it, TBAV found it, but couldn't identify it, but F-Prot found it and cleaned it. So it looks like F-Prot is the program of choice here. >At warm reboot (ctrl-alt-del) the message "I'll be back!" appears. A word of advice from a virus researcher who's has "released" numerous viruses on his own computer, NEVER do a warm boot on a computer that you suspect is infected. Most of the newer viruses can survive a warm boot. And all that you've done it cause all your start-up programs to become infected. The best way is to have a write protected floppy, turn the system off, insert the floppy, then turn the system on. You then prevent the virus from going memory resident while you check the system with a copy of your favorite AV program (off of a floppy) to locate the source of the infection. You should be able to find a copy of F-Prot on the local BBS's. If you can't, drop me a line and I'll e-mail a copy -Mike mrjackson@delphi.com ------------------------------ Date: Sun, 27 Nov 94 02:24:08 -0500 From: 943127@edna.cc.swin.edu.au (Damien James Miller) Subject: Re: DOOM II (PC) Jimmy Kuo (cjkuo@symantec.com) babbled thus: : Steve Midgley writes: : >I'm not going to say that doom ii is a 'bad' program, but it doesn't : >INHERENTLY have any more to do with viruses than Word Perfect 6.0. : >It's just a game. : DOOM II is distributed in a shareware package. DOOM II is a *commercial* game. There was a lot of noise made recently as a prerelease version started turning up on FTP sites. : I believe there have been at least 3 separate incidents of DOOM II packages : being infected and redistributed. I am not familiar with how DOOM II is : packaged. I wish they would have had some built-in self-checks to prevent : this type of attack. Either: a) the legal distribution is infected b) the recipients pirated it and got what they deserved Damien - -- ************************************************************************** | Damien Miller aka toado@edna.cc.swin.edu.au aka Silicon Dreams | |----------------------===========================-----------------------| | CAUTION: WEIRD LOAD | ------------------------------ Date: Mon, 28 Nov 94 00:40:18 -0500 From: timpsullivan@delphi.com Subject: Re: "antiexe" virus (PC) writes: >Anybody know anything about the "antiexe" virus. McAfee's v. 2.12 keeps >finding it in memory, but not on the disk, and won't remove it. Any help >would be appreciated. > I've had a recent infection of AntiEXE. It is a boot-sector virus. It F-PROT was able to find and delete it without a problem. Check it out. (Make sure to boot from a "clean" diskette, otherwise the virus will load itself into memory. F-PROT can't squash it if its sitting in memory. PS F-PROT v2.14 is a shareware AntiVirus program (in case you didn't know) ------------------------------ Date: Mon, 28 Nov 94 05:03:58 -0500 From: mikie@owlnet.rice.edu (Michael Howell) Subject: WIN.COM modification (PC) In the past two days, my win.com file has been modified from 50,904 bytes to 95,036 ... The date changes at that point, as well ... When the 95K version is executed from a DOS command line, the message "Program too big to fit in memory" appears. Sounds evil and virus-like, but I've run mwav, fprot, and tbav, and none have come up with anything. Sigh. Any comments? - - Mike ------------------------------ Date: Sun, 27 Nov 94 22:34:30 -0600 From: ACM0200@mtroyal.ab.ca Subject: Seeking info on "Filler" virus (PC) I am looking for any information on the "Filler" virus. It seems to be detectable when active in memory, but never on any disk. Very frustrating. K ------------------------------ Date: Wed, 14 Sep 94 22:38:02 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: Unknown problem (PC) Hello Eric! 19 Aug 94 12:15, Eric Robichaud wrote to All: ER> Hi there! ER> One of my clients as two standalone IBM PC. He often copies files from one ER> computer to the other one. Our technician checked for viruses with F- prot ER> and Mcafee's latest virus detecters (with bootable disquettes). Guess ER> what? He couldn't find any viruses. He also checked out the hardware and ER> found nothing. Is it a stealth virus? Is there a new tough virus out ER> there? Any suggestions would be appreciated. What's wrong? I mean, what's the problem with the computer? Won't it boot correctly or something? Greetz, Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Tue, 22 Nov 94 10:08:01 +0200 From: Peter_Hoste@f0.n319.z9.virnet.bad.se (Peter Hoste) Subject: Is it a Virus? (PC) Hello everybody, Yesterday I had a visitor with some strange computer behaviour... His Harddisk was suddenly wiped clean in the middle of using a normal dos- programm. the strange thing is that the harddisk-label is now: HAHAHAHAHAHA2 the second strange thing is that MSDOS.SYS /IO.SYS were still on the harddisk as the only files. Also it is the second time that this happend. I was thinking of a virus, but McAfee & F-Prot could not find anything. Anybody an idea? Grtz. Peter. - --- FMail 0.98a * Origin: FreeLinK.. Een nieuwe kijk op netwerken (9:319/0) ------------------------------ Date: Mon, 28 Nov 94 09:25:07 -0500 From: Julian.Ilicki@soc.uu.se (Julian Ilicki) Subject: F-Prot Professional versus F-Prot Shareware (PC) Does anyone know if there is any significant difference between F-Prot Professional and F-Prot Shareware regarding scaning for viruses and disinfection capabilities? Julian +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Julian Ilicki, Ph.D. E-mail: julian.ilicki@soc.uu.se Uppsala University o Dept. of Sociology _ /\c_ Phone: +46 - (0) 18 187681 Box 821 (_)> (_) Fax: +46 - (0) 18 181170 S-751 08 Uppsala, Sweden Private: +46 - (0) 18 204747 ------------------------------ Date: Mon, 28 Nov 94 10:33:10 -0500 From: weissborn@dallas.geoquest.slb.com (Bill Weissborn) Subject: Do I have an infection? (PC) I have a user who has a Compaq LTE Elite 4/50cx, running DOS 6.2 & Windows 3.1. Recently, when he tries to start windows in complains that it cannot load the 32-bit file driver. It says that the address of the disk has changed. I ran f-prot (Sept 1994) and it says that it finds "AntiCmos.b" in the masterboot sector and in memory. However, I cannot find anything in the docs about this "virus"(?). So the question I have is, "Is this a false alarm or do I really have a virus here?" Thanks in advance. Bill W. ------------------------------ Date: Mon, 28 Nov 94 11:13:08 -0500 From: Zvi Netiv Subject: Various, for Virus-L digest (PC) ------------------------------------------------ Subj: Re: Killer Virus -=> Quoting Josh West to All on Fidonet <=- JW> I have a virus on my computer that does nothing more than find JW> files,copy them, and give them a new,weird, name. I have run several JW> virus detection and cleaning programs, but none are able to spot it. I JW> manage to keep up with the viruses copying, which seems to double each JW> time I turn my computer on, but it is really annoying to have. Any JW> suggestions? Hi Josh, Insufficient information to tell you whether this is a virus or something else. Yet, from the little you wrote, it seems that you have a file and directory structure problem, not a virus. Think: For what purpose would a virus copy files and give them a weird name? A virus purpose is to _propagate_ through replication and the above won't help it achieving its purpose. There are several reasons that may cause such a problem, mostly conflicts between drivers and memory resident programs. Do this: put a "rem" in your autoexec.bat and config.sys on all drivers and TSR, except for those that are absolutely necessary for the bare functioning of your PC. Return them one by one and watch when the problem starts again. Change the order of loading your TSR, it sometimes help. If the culpable driver is not really necessary, just fancy, give it up. Hope this helps, Zvi Netiv, InVircible ftp.datasrv.co.il/user/netz/ ftp.netcom.com/pub/antivir/ Fax 972 35325325 ========================================================================= ------------------------------------------------------ Subj: Re: Am I Stoned again? -=> Quoting Steve Leung to All on Fidonet <=- SL> Well, after my last bout with the virus, I reformatted my hard SL> drives. SL> However, I ran F-Prot and it still detected Stoned.Empire.Monkey (or SL> something like that) in the MBR of one of my hard disks. I tried to SL> remove it, but F-Prot says that it can't because MBR can't be found SL> or something like that. SL> Do I still have the virus, or is this a virus leftover? Hi Steve, Seems that you don't have the virus anymore, as if you had, then _both_ drives should have it. These are probably the remains of Monkey, on your second drive. Monkey becomes active only if the first drive mbr is infected. If I recall, your first drive is an IDE and the second one is a SCSI. You probably used FDISK to create new partitions on both drives as Monkey messed them up. While doing this, FDISK wrote a fresh bootstrap loader to your first drive, but only replaced the partition data on the second one. The bootstrap program was left in place, and it happened to be the Monkey virus code. If it's drive 2 indeed then your computer isn't infected, these are the leftovers of Monkey. If it bothers you, then here is a method to cure that little problem. Change your first IDE drive to "not installed" in the CMOS setup. Boot from a DOS 5+ floppy, having the FDISK program on it. See if you can access the SCSI drive, it should be C: now. _ONLY_ if yes, then run FDISK/MBR, install back the IDE drive in the CMOS and reboot. BTW, why did you have to reformat your drives? This isn't the way to handle Monkey and you could recover both drives! As it is possible that you still have an infected diskette, then get yourself a copy of XMONKEY and FIXBOOT, to prevent a reinfection from a floppy, and to remove Monkey from both drives if a reinfection occurs. I gave you the ftp address in a former post. Good luck, Zvi Netiv, InVircible ftp.datasrv.co.il/user/netz/ ftp.netcom.com/pub/antivir/ Fax 972 35325325 ========================================================================= ---------------------------------------------------- Subj: Re: InVircible -=> Quoting Arjan Van Der Werf to Zvi Netiv on Fidonet <=- AVDW> What do you know, i wrote you a message about me not being able to AVDW> locate IV in the Netherlands and two days later it was hatched through AVDW> one of the file areas i am connected to. :-) Hello Arjan, Tell me where did you get IV in The Netherlands, so that I can tell others that ask me. AVDW> But i did have some problems with it, because when i tried to run any AVDW> of the executable files TBAV (yes, i also am a registered user of TBAV, AVDW> and yes i know what you think of using scanners) would give me some AVDW> warnings that the IV executable i just started did something and the AVDW> whole system crashed. :-( Nothing wrong about using TBAV, but if you want to use IV too then you can't use the TBfile and TBcheck TSR's. These two intercept IV's bait process as if "virus like", which of course it isn't. AVDW> So i tried again, this time i made sure that there were no other TSR's AVDW> in memory and it all worked fine.But i want to know why my whole system AVDW> crashes when i try to use IV when i got the TBAV utilities loaded, and AVDW> is there something i can do about it (other than removing the TBAV AVDW> utilities from memory) :-) You can use TBAV TSR's with IV, except the two I mentioned. Like in medicine, there are medications that you should not administer at the same time to the same patient. Either the one, or the other. Mind you, the "aggressive" one here is TBAV, IV doesn't care about TBAV, the later one is rather jumpy on IV. :-) AVDW> Because, TBAV always did a good job at protecting my system so i'm not AVDW> going to drop that one. Your choice! You just experienced why IV does not have TSR's. I hope Peter van Arkel reads this too, as he asked a lot of questions why I thought AV TSR are dangerous. The example you just brought is one. :) In certain circumstances the combination of TBAV-IV will knock-out the command.com. If this occurs then boot from a floppy and copy a new command interpreter to the hard drive. Here is another aspect for your consideration. None of the TBAV TSR does a self-sanity check before loading, meaning that they can be infected themselves, load into memory, and neither you or TBAV would notice. OTOH, all IV programs do self-sanity checks, they will sample any virus that attach to them into a file, and recover themselves - even from the teeth of a stealth virus. _This_ is the process that TBfile/TBcheck is intercepting as "viral", and this is also the reason why I had to elaborate on the subject, since you asked about. You can test the last one with the AV Practice Lab (AVPL), both on TBAV TSR's and on IV programs. The AVPL test is harmless and totally safe - just informative. Except the above, there is no software that I know of that IV has conflicts with. IV isn't memory resident either, and it will not leave traces or affect your computer performance or functionality in any way, once it completed its tests. Best regards, Zvi Netiv, InVircible ftp.datasrv.co.il/user/netz/ ftp.netcom.com/pub/antivir/ Fax 972 35325325 ========================================================================= ---------------------------------------------- Subj: Re: HELP! Stoned? -=> Quoting Gilbert Schroeder to Steve Leung on Fidonet <=- GS> In fact, this seems to be the Stoned.Monkey virus. It cannot be GS> detected when it is active in memory because the virus uses stealth GS> techniques. The original MBR is entirely replaced by Monkey and the GS> original one is placed somewhere else on the hard disk, thus if you GS> boot from a floppy you couldn't retrieve the origial MBR, but if Monkey GS> is in memory, it points to the original one. Actually you loose 1 k of GS> conventional mem thus the additionnal 1k might have been used by BIOS. GS> You shouldn't use the undocumented DOS switch FDISK /MBR 'cause this GS> _rewrites_ the MBR in the way that your old partition is lost and your GS> data's gone. Gilbert, A great and exact description, and very good advice too! Unfortunately Steve Leung lost his two drives, he probably tried fdisk/mbr, when he shouldn't. In a later post he wrote that he reformatted his two drives. The following is for the unfortunate that lost a drive in a similar way, or managed somehow to damage the mbr _or_ the boot sector of her, or his hard drive(s). Such a disk can be recovered in seconds by ResQdisk, from the registered InVircible package, _even if you didn't prepare a disaster recovery floppy beforehand._ Just boot clean, run ResQdisk, and follow the instructions. Regards, Zvi Netiv, InVircible ftp.datasrv.co.il/user/netz/ ftp.netcom.com/pub/antivir/ Fax 972 35325325 ========================================================================= ------------------------------ Date: Mon, 28 Nov 94 17:30:56 -0500 From: fli@cs.uml.edu (Fangzhi (Francis) Li) Subject: Form virus (PC) Hi there I got "Form" virus in my boot sector, I use scan and clean, but it tells me the virus can not be remove savely. In my system, I install dos and OS/2 in the same system. the patition is like following... boot manager c: dos. (FAT) d: OS/2 (HPFS) E: OS/2 (HPFS) F: OS/2 (HPFS) Now I can use bootable disk to boot the Dos and OS/2 but I can not boot it from hard drive. Any help is highly appreciated. - -- __ __ *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* / / / name: Fangzhi Li . alias: Francis Li . /-- / / campus: University of Massachusetts at lowell, computer science. / /__ /_ internet: fli@cs.uml.edu. ------------------------------ Date: Mon, 28 Nov 94 20:49:08 -0500 From: saimun@subct.jud.gov.sg Subject: Mustafa Stack - Virus ?? (PC) Pardon me, I am quite new in this list. I can't seem to find the FAQ for the list. I encountered a few data files on our network which has contents "Mustafa Stack" for at least 10 lines. Is this a virus ? If it is what kind of virus is this ? I need some info to kill the virus. If possible please email me directly. I don't seems to get the listserv for a few days now. TIA Saimun Julia Network Analyst Subordinate Courts of Singapore ------------------------------ Date: Mon, 28 Nov 94 16:29:46 -0600 From: ACM0200@mtroyal.ab.ca Subject: FILLER and ISRAELI BOOT (IBOOT) Viruses (PC) In addition to the "Filler" virus, I have detected the "Israeli Boot" virus on my system. The latest McAfee software will catch them both when active in memory, but never, ever, ever on any disk. Accepting that, I went out and bought a brand spanking new copy of the Norton Anti-Virus, which detected a grand total of nothing at all. Any help out there? K ------------------------------ Date: Wed, 23 Nov 94 22:52:00 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: HELP! My PC seems to be infected. (PC) Hello Magnus! 12 Oct 94 18:20, Magnus Carstam wrote to All: MC> I don't know if this is anything but I've MC> heard of a virus called cascade and MC> a checker of IRQ has given the following MC> results MC> IRQ2 Cascade -> IRQ9 MC> IRQ9 Cascade -> IRQ2. Could someone tell me what that Cascade means? Greetz, Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Thu, 24 Nov 94 17:35:01 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: ANSI Bomb? (PC) Hello Kevin! 14 Oct 94 17:57, Kevin Marcus wrote to All: KM> Either don't use ANSI.SYS, or use PKSFANSI or one of the multiple drivers KM> which don't allow for keyboard redefinition. Can a virusscanner trigger a ansi bomb? Greetz, Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Thu, 24 Nov 94 18:10:06 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: Monkey Virus ****** Possible FIX (PC) Hello all! 19 Oct 94 12:33, Internet Gateway wrote to All: IG> POSSIBLE FIX TO MONKEY VIRUS: Can i conclude that there isn't an av-programm that can 'clean' the monkey virus?? Greetz, Rinse - --- FMail 0.96b * Origin: It's All Or Nothing * Sa&Su 10:00-21:00 * 05126-2412 (9:316/7) ------------------------------ Date: Tue, 29 Nov 94 07:38:52 -0500 From: PHILIP JAMES POWELL Subject: Omicron PT (PC) Does anyone know anthing about the Omicron PT virus. What does it do ? What sort of virus is it. What does it infect. Which virus killer will detect it ? Please e-mail me. Thanks in advance Phil. ------------------------------ Date: Tue, 29 Nov 94 16:47:33 -0500 From: aquaman@cloudnet.com (John W Stemper) Subject: Doom II Virus (PC) I'm looking for any info on the Doom II virus. F-Prot sees the virus as a variant of the Tai-Pan or Whisper virus. It seems to only infect EXEs that are 64K or less. McAfee 2.1.3 doesn't see it at all (they are working on it). None of the cleaners we've tried removes it. Infected files will run but may cause exception 13 errors with QEMM and other memory managers. If any body has any further info or experience with this one please let me know. Thanks John Stemper ------------------------------ Date: Tue, 29 Nov 94 19:24:17 -0500 From: ftijdens@pielab.knoware.nl (Folkert Tijdens) Subject: hidden file: SMARTDR.EXE, Autoexec.bat modified (PC) Tonight, without any apparent reason, while working in Windows, my system suddenly became very slow. It was not possible to use the mouse. The cursor reacted very slow and it was not possible to click or double-click. After exiting from windows I found that dos-screen showed all text with different colors for each letter, and the colors were rapidly changing. I rebooted the system, but the behaviour persisted. I checked my autoexec.bat, and found the following two lines added to the end of the file: > set MEM=4000 > smartdr In the root directory I found a hidden file named: SMARTDR.EXE, length 13,856 bytes, and dated today, about one hour ago. I checked my system with McAfee scan and F-Prot but neither program detects any virus. I am very positive that I did not put this program on my machine. Who knows what this program does? Could this be a virus ? ------------------------------ Date: Wed, 30 Nov 94 11:52:48 -0500 From: hood!hstroem@uunet.uu.net (Henrik Stroem) Subject: Re: Mouse ports (PC) ANTHONY APPLEYARD wrote: > what port reads and writes would I need to access an ordinary serial > Microsoft-type mouse directly by port reads and writes, bypassing the > int33 interrupts and the usual mouse handlers? You might want to look at INT 15h, Func C2h with subfunctions. Also you should look at the INT 33h handler to find example code on how interfacing with a mouse is done. As for ports it probably is the serial port (eight ports usually starting at 3F8H, I think). It looks like INT 15h contains BIOS level support, so it might be a better way to go, as opposed to doing everything yourself. At least the INT 15h handler of a new AMI BIOS should give some clues. Sincerely, Henrik Stroem ------------------------------ Date: Wed, 30 Nov 94 11:52:09 -0500 From: S.PEPPING@ELSEVIER.nl Subject: Infection with Natas4744/4746 via free disk (PC) Amsterdam, 29 November 1994 Re: Natas 4744/4746 on free PCM-distributed disk Hello, Yesterday afternoon we discovered the virus Natas 4744/4746 on several of our computers. It was diagnosed and removed with the virus scanner F-PROT 2.15 (created 10 November 1994). The virus arrived with a free disk distributed by the Dutch computer magazine Personal Computer Magazine, containing Euromark, VNU European lab's computer test suite. Yours sincerely, Simon Pepping ************************************************************************** * Simon Pepping * * * Elsevier Science * E-mail: S.Pepping@Elsevier.NL * * Physics & Materials Science * * * Sara Burgerhartstraat 25 * Voice: +31 20 485 2583 * * 1055 KV Amsterdam * * * P.O. Box 103 * Fax: +31 20 485 2319 * * 1000 AC Amsterdam * * ************************************************************************** ------------------------------ Date: Thu, 01 Dec 94 10:08:47 -0500 From: dwarf@step.polymtl.ca (Patrice Chiniara) Subject: How to get rid of RIPPER (PC) Hi there, I have some 1.44 disks infected with the RIPPER virus. I've tried to clean them with scan 2.1.231e (McAfee), but the virus couldn't be removed from the disks. The only way I found to clean a 3.5" disk, is to copy the disk on a hard drive, clean the hard drive, format the 3.5"disk then copy from the hard drive back on the 3.5" disk. Well, my question is: IS THERE A QUICKER WAY ??? - ------ Patrice Chiniara dwarf@step.polymtl.ca ------------------------------ Date: Wed, 30 Nov 94 20:49:23 -0500 From: rargyle@cc.weber.edu (Bob Argyle) Subject: Michelangelo(?) virus bypasses bios test (PC) I found one of our computers with the BIOS warning about boot sector writes infected with what was identified as the Michelangelo virus. Is there any possibility for a virus to defeat the warning, or is the only explanation operator error? The CMOS switch for the test was probably being modified (along with A:/C: boot sequence) at the time of infection. Bob Argyle rargyle@cc.weber.edu ------------------------------ Date: Wed, 30 Nov 94 15:56:50 -0500 From: equine@Glue.umd.edu (Melinda L. Gierisch) Subject: NATAS Alert! (PC) This was emailed today (11/30/94) to everyone in my office: ******************************************* ******************************************* ** ** ** V I R U S A L E R T ! ! ! ** ** ** ******************************************* ******************************************* At First Saturday Sale in downtown Dallas, there was a vendor handing out floppy disks to demo his services. Unknown to the vendor these disks were infected with the Natas Virus (in the INSTALL.EXE file.) This is a fairly nasty poly-morphic virus that *can* trash your hard drive. It does varying degrees of damage, with a complete crash in roughly 1 out of 500 hard drives. The demo program was only completed 4 days ago, but SO FAR, there have been 3 crashed systems and one infected network. With several hundred additional demo disks now in circulation.... the potential is pretty scary. The free demo disks were 3.5" black floppies with the word "WIN" in large letters from Winner's International Network. Please pass this message around, this could be a nasty problem. The vendor has handed out over TWO THOUSAND disks total, and the virus is probably wide spread in the DFW community by now. The virus is polymorphic, uses complex stealth routines, has some tricky code in it, plus remains memory resident. It kicks almost *EVERY* flag in TBSCAN's heuristic mode. NATAS is very new, and is not recognizable by SCAN, MICROSOFT ANTI- VIRUS, and CENTRAL POINT. Only F-PROT, TBAV, and AVPRO can find it. If you have the virus already, it goes memory resident, and uses heavy polymorphic code to avoid detection. Chances are, if you're already infected, virus scanner *might* not find it. Boot from a clean floppy containinq a anti-virus scanner, and scan all your drives. - -------------------------------------------------------------------------- ,--/ | equine@eng.umd.edu ( Melinda Gierisch ) _ ___/ /\| | Horse: Danny ( Thoroughbred ) ,;`( )__, ) ~ | Other: Tanner ( Black Labrador ) // // '--; | ' \ | | #include | Search and Rescue: That Others May Live! ------------------------------ Date: Thu, 01 Dec 94 11:14:22 -0500 From: sandoz@ismennt.is (Einar Sverrir Sandoz) Subject: pklite (PC) Hello all. Tell me, is there any virus cleaner program available that can expand Pklite executables, disinfect them and compress them again on the fly ? I seems to have some cascade, if I remember right, kind of virus in quite a lot of programs (& memory), but can think of better things to spend the night, than to do this 'manually'. Best Regards, Einar. ------------------------------ Date: Thu, 01 Dec 94 16:54:42 -0500 From: Leon Bekker Subject: Possible WP 5.1 for DOS (PC) virus?? (PC) We have run into a problem at the time of retrieving a document, that the letters "mx" replaces characters within the document itself. This seems to be recurring, but does not seem to reflect consistency in what it replaces, or even where it replaces characters. Also, sometimes portions of pages are deleted, which would need to be re-pasted from a backup copy of the document! Has anybody come across a virus of this nature, and if so, would you mind emailing me at the address below? I skimmed some of the "Subjects" of previous virus listings, and wondered if this had to do with a/the "Merry Xmas" (mx) virus. Would appreciate your help with same. Leon Bekker Systems Analyst/Network Specialist I.W.U. Marion, IN. 46953 (317) 677-2332 (W); (317) 677-2499 (Fax); Email: leonb@indwes.edu ------------------------------ Date: Fri, 02 Dec 94 01:46:19 -0500 From: Bill Geimer Subject: Re: Differences between McAfee products? (PC) 2.1.3 is the most current. Faster but larger than 2.1.1. Could not use it to remove JOSHI virus from hard drive and floppy boot sector. Had to revert to 1.1.7 Speed improves significantly for scanning with the 2.1.x versions. Syntax changes a lot as well and all batch files must get new parm strings. In version 1.1.7, Clean is a seperate program and you have to type in the name of the virus as a bracketed parameter. Version 2.1.x uses SCAN.EXE for both functions - invoke with the /CLEAN parm to eradicate. 2.1.x has lots of new parms to direct it to scan boot sectors only (/BOOT), and to repetitively scan multiple floppy disks (/MANY), among other things. 2.1.x scans memory from 0 to 1088 automatically if HIMEM & EMM386 provide UMBs above 640K. ------------------------------ Date: Thu, 01 Dec 94 14:12:23 -0500 From: 72571.3352@CompuServe.COM (Wolfgang Stiller) Subject: i_m231c.zip - Integrity Master 2.31c antivirus/data integrity (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ i_m231c.zip Integrity Master 2.31c antivirus/data integrity Integrity Master provides complete, easy to use, data integrity for your PC plus virus protection. It can also be used to provide file change management and security on your PC. As well as scanning for known viruses, it detects unknown viruses and unlike other products will detect files which have been damaged but not infected by a virus. IM checks and restores your CMOS including the new larger CMOS configuration memories found on most newer PCs. INTEGRITY MASTER PROTECTS YOU AGAINST ALL THREATS TO YOUR DATA AND PROGRAMS NOT JUST VIRUSES! Special requirements: None Changes: Minor bug fix from V2.31b. Fixes false-positive in memory of StonedN. i_m231c.zip has replaces i_m231b.zip. ASP ShareWare. Uploaded by the author. Wolfgang Stiller Stiller Research 2625 Ridgeway St. Tallahassee, FL 32310 USA 72571.3352@CompuServe.COM / wolfgang@freenet.tlh.fl.us ------------------------------ Date: Thu, 01 Dec 94 22:59:34 -0500 From: gbsalmgo@ibmmail.com (Martin Overton) Subject: cm8104e.zip - ChekMate known/unknown virus detection utility (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ cm8104e.zip ChekMate known/unknown virus detection utility ChekMate 1.04e is a DOS based virus detection utility written originally for my own purposes. Other people have seen and/or used ChekMate and suggested that I release it as a virus detection tool. So here it is! ChekMate was written to detect new and known file, boot and partition table viruses. It should be used alongside a good quality virus scanner. It is NOT a substitute for a virus scanner. It will detect most file infector, boot sector or partition table viruses. I frequently receive suspect files from people throughout the world that believe, either rightly or wrongly, are infected with a new/unknown or known virus. I needed a way to confirm that the file/disk was indeed infected. My first step was to scan it for known viruses, if that did not detect a known virus then the infected file/disk was run on a 'sheep-dip' PC and ChekMate was then used to tempt the virus into infecting one or more of the bait files or the Boot sector or Partition Table. In all cases the virus was caught by ChekMate, either by infecting one or more of the BAIT files or the Boot Sector or Partition Table. Many people do not perform a daily scan of their PC, because it takes too long (3-20 Minutes). ChekMate takes under 20 seconds to run, even on 80286 based systems. Requirements: - ChekMate requires you to have an IBM PC Compatible running DOS 3.3 or later and at least 128Kb of memory and a Hard Disk. - DEBUG must also be on your PC in your Path. - This version will only run on 80286 or later processors. Please contact the author if you require an 8088/8086/V20/V30 version. Martin O. - - - Martin Overton, PC Technical Specialist Tel: +44 (1403)232937 gbsalmgo@ibmmail.com OR Martin@salig.demon.co.uk ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 99] *****************************************