VIRUS-L Digest Thursday, 22 Dec 1994 Volume 7 : Issue 103 Today's Topics: Heuristic Scanning Algorithms W-Boot (Swiss) Infection (PC) MBR Viruses / rebuilding MBR (PC) November 17th (PC) Doom II virus (PC) Re: A SETUP funny on boot : virus or what? (PC) Skid-Row virus (PC) Virus named Jack Ripper (PC) GenB SOLVED! (PC) solomons causes GPF's & slows program loads (PC) Smiley Boot Virus (?) (PC) New Happy virus? (PC) Intel LANProtect vs. McAfee NetShield (PC) Re: F-PROT's Virstop.. How effective is it? (PC) Taipan (PC) Re: Virus Found in MSAV.EXE (PC) Re: NYB (PC) Re: Of what value is McAfee Netshld (PC) Help! stop_exe virus. (PC) new virus? (PC) Infect with Die Hard 2 ???? (PC) What kind of virus is this ? (PC) NewBug [Genb] (PC) Nympho Mitosis 2.0 (PC) Re: FORM virus on Doublespaced Drives (PC) Trident virus info? (PC) Possible Gold Bug infection (PC) junk-virus on my PC- Help me!!! !!! (PC) Leonardo - is this a virus ? Cure? (PC) Why does my system take naps? (PC) Virus found on Compaq notebook: ANTIEXE (PC) Re: Happy birthday PC virus. Please help! (PC) Re: F-Prot Professional versus F-Prot Shareware (PC) Re: Virus Signatures needed. (PC) Re: What can a virus do ? I need HELP! Please (PC) Monkey Virus ****** Possible FIX (PC) Omicron PT (PC) Re: F-Prot Professional versus F-Prot Shareware (PC) December1 (PC) Re: HELP! My PC seems to be infected. (PC) Re: Monkey Virus ****** Possible FIX (PC) Automating scanning on Netware (PC) Re: HELP! My PC seems to be infected. (PC) McAfee and Michelangelo (PC) Keyboard problem (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 14 Dec 94 13:17:06 -0500 From: "pendleto@titania.math.ukans.edu"@KUHUB.CC.UKANS.EDU Subject: Heuristic Scanning Algorithms Does anyone know, or can speculate, how the heuristic scanning algorithm in FPROT works? What makes it think that there may be a virus in a file? Is there a writeup on the algorithm anywhere? Steve ------------------------------ Date: Mon, 12 Dec 94 02:32:17 -0500 From: souters@mackie.edfac.usyd.edu.au (Stephen Souter) Subject: W-Boot (Swiss) Infection (PC) I have discovered an infection at our site of a hard disk partition table virus that one piece of software (SCAN V.2.1.1, McAfee Associates) detects as the "W-boot" virus but which another piece of software (SCAN 9.30 V117, also from McAfee) detects as the "Swiss" virus. (Yet another reported it to be a variant of the "Stoned" virus.) As if that were not confusing enough, SCAN 9.30 reports two occurrences of this virus per partition table whereas SCAN V.2.1.1's report implies only one occurrence. Other software that one should have thought ought to know about it report the same hard drives to be virus-free. I refer in particular to MS-DOS 6.20's MSAV program. I ought to point out we first detected something amiss when numbers of our PCs (typically ancient IBM PS/2 model 30's) would periodically refuse to boot from their hard drives, although they would boot quite happily when launched from a floppy disk. A SYS C: generally was enough to restore them to business as usual, but sooner or later they would go down again. Checks with DOS's MSAV, though, detected nothing (as did an admittedly fairly ancient version of Norton's). It wasn't until I pulled a couple of shareware virus scanners down off the Internet that a different story emerged. However, while these scanners will freely admit to a virus, they do not (as reported above) do so consistently, even when produced by the same people! Worse, a hunt round various Internet PC shareware archives has failed to find any software that can remove this particular virus. The CLEAN program (9.30 V117, also from McAfee) knows about the Swiss (aka W-Boot) virus, but reports that it cannot "safely" remove it, while M-DISK seems only to be of use for those whose hard drives were formatted under MS-DOS versions 3.x-4.0. (We are using a mixture of 5.0 & 6.x; only our very oldest machines would have ever had 4.x on them.) I am loathe to take the alternative step if I can at all avoid it: viz. zapping each and every hard drive with low-level formatting software and reloading all the software from scratch, since that they may well involve upwards of 40 PCs. Can anybody offer a less painful solution? I would also be intrigued to know why MSAV failed to detect the infection. Is this a very new virus or is it a case of MSAV not checking the system area of a hard drive at all? (I have noted that the 6.20 version is copyrighted 1993 despite MS-DOS 6.20 being of 1994 vintage.) Also while on the subject of viruses & scanners, is there anywhere on the Internet where upgrades of Norton Anti-Virus (and for that matter Microsoft's MSAV) can be found? The only Nortons one I have laid eyes on is the special Michelangelo edition, which I take to be a version restricted to that particular virus. - -- Stephen Souter souters@mackie.edfac.usyd.edu.au ------------------------------ Date: Mon, 12 Dec 94 04:19:34 -0500 From: dbuchere@Physik.TU-Muenchen.DE (Daniel Bucherer) Subject: MBR Viruses / rebuilding MBR (PC) sorry about this naive way of thinking, but what happens to a boot sector virus on a hard disk if you boot from a clean disk containing the FDISK utility and then type FDISK /MBR ? Doesn't that finish off the virus? Daniel (dbuchere@physik.tu-muenchen.de) ------------------------------ Date: Mon, 12 Dec 94 07:46:28 -0500 From: ia_remko@cs.utwente.nl (Remko M. Wiersma) Subject: November 17th (PC) Recently, my computer sufferred from a virus called [800] by the newest (at that time) virus scanner of McAfee (I downloaded the shareware version from the ftp.mcafee.com site). When I scanned an infected floppy disk on a different computer using a copy of the same (not infected) virus scanner, it was identified as the [november 17th] virus. Is this virus known under two different names or what? Can anyone tell me what damage the [800]/[november 17th] virus causes? Thanx. +----------------------------------------------------------+ |Remko M. Wiersma | Secretary --++-- | | (ia_remko@cs.utwente.nl) | ||+--++---++--- | | | ||| || || | |Student Computer Science | ||+--++---+| | |at the University of Twente| --+++ ++ +--- | +----------------------------------------------------------+ ------------------------------ Date: Mon, 12 Dec 94 12:00:34 -0500 From: aquaman@cloudnet.com (John W Stemper) Subject: Doom II virus (PC) We were recently infected with the DOOM II DEATH virus. It was fairly harmless. It added 666 bytes to each exe under 65K. Fprot found it McAfee did not. McAfee now has it added to their scan program. The virus had text inside that referred to a pirated copy of DOOM II released by RAZOR. The text insinuated that the virus would destroy the pirated copy of DOOM II. The text also included a disclaimer that the author was in no way connected with ID. Fprot saw the virus as a variant of the Whisper virus. ------------------------------ Date: Mon, 12 Dec 94 12:38:25 -0500 From: kief@utk.edu (Kief Morris) Subject: Re: A SETUP funny on boot : virus or what? (PC) ANTHONY APPLEYARD says: >I am in charge of 16 public PC's. 10 of them are PCSX 386's which are now a >few years old. [...] >Invalid configuration information - please run SETUP program Your CMOS batteries are running low. This is a little battery, often soldered onto the motherboard, which supplies power to the CMOS, which is where the configuration information for your system is stored. They typically start fading after 2 or 3 years. They can be replaced, although it involves soldering. =======================Generic .sigfile======================= name@address Full Name, Title, Organization Joke and/or obscure philosophical comment ------------------------------ Date: Mon, 12 Dec 94 15:33:10 -0500 From: jrowley@gate.net (Ninnghizhidda) Subject: Skid-Row virus (PC) Hello all. My computer has the Skid-Row virus written by Dark Slayer. It hasn't done anything to my computer other than everytime I read from command.com (I think that's where it is) I get a stupid little message in the top right corner of my screen. I have ran F-prot version 2.14, MSAV, and Norton Antivirus. All have not identified a thing. I can't even find any info on it. If anyone can help me out, I would appreciate it. Thanks. ------------------------------ Date: Mon, 12 Dec 94 16:05:10 -0500 From: Iolo Davidson Subject: Virus named Jack Ripper (PC) sshortal@iol.ie "Seamus Shortall" writes: > Have you any idea about its transmission method (seems to be > via boot-sector) and activation symptoms? Yes, it is a boot sector infector. Its payload is very damaging- it corrupts files/sectors at random. - -- A GIRL BUT NOT SHOULD HOLD ON WHEN HE'S DRIVING TO HER YOUTH Burma Shave ------------------------------ Date: Mon, 12 Dec 94 16:05:25 -0500 From: Iolo Davidson Subject: GenB SOLVED! (PC) youngcr@gvsu.edu writes: > I had a friend who's computer was infected with it Infected with what? GenB just means "unidentified boot sector virus". It is not the name of any particular virus, just what McAfee says when it sees something it thinks might be a virus. > and we killed it without loosing any data at all. This is usually no great feat... > The first thing you have to do is to pull the batery > off of the mother board. .But you went about it in an odd way. Dumping your CMOS setup doesn't make the job easier. > Then you have to have a CLEAN startup disk to work > with. Boot the computer using the disk and use FDISK /MBR. With a number of viruses this would be a bad mistake. Since the GenB report means that you don't actually know what virus you have, you were taking a chance. It seems you got lucky, but others may be unlucky if they follow your advice. > I don't know if you have all heard of the origin of mass > distribution of this lovely virus, but you can thank a company > named xxxxxxxxxxx. It is difficult to be sure where a virus has come from. Publicly naming the company without very good evidence could well get you sued. > Don't get me wrong, they are > still a good company, they just need to check for viruses before > sending out their disks. Did you scan the disk before you put it in your computer? (Trick question, that.) Put it another way- Was the disk write protected before you put it in your computer? If not, and you already had the virus, the disk would have been infected first thing, by you. Maybe you are the person who did not check properly. - -- A GIRL BUT NOT SHOULD HOLD ON WHEN HE'S DRIVING TO HER YOUTH Burma Shave ------------------------------ Date: Mon, 12 Dec 94 16:05:21 -0500 From: Iolo Davidson Subject: solomons causes GPF's & slows program loads (PC) sshortal@iol.ie "Seamus Shortall" writes: > I'm using Solomon's GUARD 4.2 TSR & have the following > problems: > > 1: It causes GPF's in Netmanage's Chameleon Mail program. Haven't heard of this before (either the problem or the program). > 2: My terminal emulator program takes 3 times longer to load. Any anti-virus tsr requires some time to check programs for viruses as they load. Checking some programs takes longer for various reasons. A common reason is when the program opens a lot of files with executable extents (including .OVL, .OVR, .SYS, etc.) when it starts to run. This causes each of these files also to be checked, which takes more time. Supercalc used to (still does?) open twenty overlay files at startup, even though it was not using them at that time. > Does anyone know if this is specific to this version & should I > look for an upgrade or a different product? VirusGuard has been on version 4.57 for a while now. 4.2 is quite old, and should be complaining that its virus database is well out of date. Dr. Solomon's is usually sold with an upgrade subscription scheme. You ought to renew if it has run out. I don't know whether that will solve the protection fault. The slow loading probably won't be affected by an upgrade, but an alternative product will not be faster if it does the same job. Some TSR's do not do the same job (ie they don't check executables when the files are opened, only when they are executed), so they might load faster by providing less protection. You can make VirusGuard perform like this by specifying the /copy=no switch when you install it. It will then check only when programs are run, not when the file is opened. Worth trying just to see if that is what is causing the slow down. I am the original author of VirusGuard, but no longer work for the company. Why not check with them directly? Call +44 296 318700 and ask for tech support. Or call the Irish distributor, Priority Data on 01 284 4378. - -- A GIRL BUT NOT SHOULD HOLD ON WHEN HE'S DRIVING TO HER YOUTH Burma Shave ------------------------------ Date: Mon, 12 Dec 94 16:36:52 -0500 From: mcneal@AC.GRIN.EDU (Terry McNeal) Subject: Smiley Boot Virus (?) (PC) We have been hit by what McAfee, F-Prot, and VDS all identify as the "Smiley Boot" virus. I am able to eradicate it with a combination of FDISK /MBR and SYS from a clean boot floppy. This virus (?) is rather strange in that try as we might, we cannot get it to infect a floppy. We have done everything we can think of, but no luck. But it is still popping up around campus. This leads me to believe there is only one executable on campus that is causing hard disk infections. I am looking for any information I can get on this virus. Anything will be greatly appreciated. Thanks in advance. =========================================================================== Terry McNeal Grinnell College Internet: MCNEAL@AC.GRIN.EDU Systems Coordinator Noyce Computer Center Voice: (515) 269-4901 Grinnell, Iowa 50112 Fax: (515) 269-4936 =========================================================================== ------------------------------ Date: Mon, 12 Dec 94 18:46:04 -0500 From: groger@infi.net (Roger A. Grimes) Subject: New Happy virus? (PC) Has anyone heard of this virus yet? I have not rec'd a sample, yet, but it is bugging one of my sister hospitals in Michigan. Here are the signs: 1. Plays new age music from PC speaker 2. Time is displayed in reverse video in upperleft corner of screen 3.Cursor will bounce across screen 4.If you press F11, a box will appear in middle of screen saying " HAPPY BOX". 5. Erases *.ini, *.sys, *.exe, *.com files 6. Disables mouse. Only symptom 4 appears on all machines, the rest appear randomly. Be it just me, or is this virus a little bigger than the typical 2k bug? Undetectable by known scanners, although I don't think any heuristics have been run yet. Anyone know what's going on? Please reply to me at Roger_Grimes@bshsi.com. Thanks in advance. - -- - -------------------------------------------------------------------------- Roger A. Grimes "Often wrong, but never in doubt! quit Roger_Grimes@bshsi.com =direct mail to my PC. - -------------------------------------------------------------------------- ------------------------------ Date: Mon, 12 Dec 94 20:48:51 -0500 From: rentrup@pipeline.com (Richard M. Entrup) Subject: Intel LANProtect vs. McAfee NetShield (PC) Looking for a corporate strategy and comparison on deploying Intel LANProtect versus McAfee NetShield on 100 + servers and 3500 workstations. Have current problem with FORM and various MBR viruses. - -- Richard M. Entrup ------------------------------ Date: Tue, 13 Dec 94 02:26:39 -0500 From: "Zac Helmberger" Subject: Re: F-PROT's Virstop.. How effective is it? (PC) On 8 Dec 1994 18:21:13 -0000, David W. Loveless wrote: >Does F-PROT's virstop function effectively under Windows after it's loaded as >a TSR in the autoexec.bat file? > >I've personally been using F-PROT more as an off-line scanner of new files >rather than as an on-line detector of viruses. I tried to read an infected floppy under windows and virstop caught it! It was an anti CMOS.a (sp?) virus that infects the boot sector. It prevented infection of the computer by halting it, I believe. ------------------------------ Date: Mon, 05 Dec 94 19:37:21 +0200 From: Ilja_Schots@f112.n318.z9.virnet.bad.se (Ilja Schots) Subject: Taipan (PC) Hi, Reacently a new Viruskiller Discovered the TAIPAN virus at my disk. It was able to stay on my disk for about 3 weeks. (Now it is removed.) What damage could it have or has done? CU SHI. - --- GEcho 1.11+ * Origin: Quasimodo, has got it all ! (9:318/112) ------------------------------ Date: Tue, 13 Dec 94 15:36:40 -0500 From: rdiblasi@umabnet.ab.umd.edu (Rick DiBlasi (a.k.a. The Source)) Subject: Re: Virus Found in MSAV.EXE (PC) fpaterek@uceng.uc.EDU (Harald Paterek) wrote: > Talking about MSAV, anybody knows where I can find updated signature > files for this program? > BBS: (503) 531-8100 They have the updates for DOS and WINDOWS versions of msav and vsafe. The last updates I saw were from September... Later--Rick ------------------------------ Date: Tue, 13 Dec 94 15:35:58 -0500 From: sborduas@step.polymtl.ca (Simon Borduas) Subject: Re: NYB (PC) TSE CHI ON ANDREW (s935476@acs.csc.cuhk.hk) wrote: : Hello all! : Does anyone know the virus named NYB. It's a very new virus. : Even the newest SCAN 2.1.3 still cannot kill that virus! : So, does anybody know whether there's cleaner for that virus : NYB? Thanks. We also have troubles with this BOOT-MBR infector in Montreal. Any info will are welcome. Simon Borduas sborduas@step.polymtl.ca ------------------------------ Date: Tue, 13 Dec 94 15:54:55 -0500 From: CKalish@ckalish.pfbi.com (Chris Kalish (Pepsi)) Subject: Re: Of what value is McAfee Netshld (PC) > In our office we have a couple of programers who are constantly tweaking >and updating pieces of code. When they recompile their programs and then load >their files up to the server, the NLM would grab them and send a message that >a virus was detected. However when I would view the log file all that is >reproted was that the suspect file was moved to it's infected subdirectory. >There was no mention of what type of Virus was suspected of operating. We've had the same symptoms over here (whenever we compile our programs, we get the virus message. I can only assume that the NLM thinks that the linker is doing something suspicious by producing an executable. I'd also appreciate any insight into this. - -cek ------------------------------ Date: Tue, 13 Dec 94 15:59:55 -0500 From: nalipson@wiretap.spies.com (Nathan Lipson) Subject: Help! stop_exe virus. (PC) I picked up a virus on the net that a scanning program identifies as "stop_exe". Heard of of it? I don't know anything about viruses, but I'm trying to learn -- quickly! Nate Lipson ,-------- Homo sapiens /`-------- Chimpanzee ________________________________________/`--------- E. coli \ `--------- nalipson@wiretap.spies.com ------------------------------ Date: Tue, 13 Dec 94 23:09:01 -0500 From: dziedzic@ecst.csuchico.edu (Knightmare) Subject: new virus? (PC) Hello all, I think I might have a virus problem .... I've been getting corrupted files of late in strange places like sbconfig.exe and cdplay.exe and in various other places ... in windows files most frequently ... when I run scandisk I get lots of cross linked file errors and directory names that are to long ... my windows files are mostly dead and My drivers for other programs keep popping up corrupted .... HELP!!! .... Ive d/l the newest antivirus progs from mcafree.COM and those just show which files of mine are newly corrupted but they dont fix the problem .... Ive used f-prot and that doesnt help either ... Im tempted to just format my Hard Drive and start reinstalling ... but I have a 500 Meg drive and no tape backup !! Lots of install disks though ... Any help or advice greatly appreciated!! If I do need to format my drive and clean out the boot sectors and all that stuff ... Could someone please post how to go about making sure that their is a clean drive after formatting it so I know I got rid of the poss problem! Thanx, Doug e-mail:dziedzic@ecst.csuchico.edu ------------------------------ Date: Tue, 13 Dec 94 23:52:44 -0500 From: deepak@india.hp.com (Deepak Shenoy) Subject: Infect with Die Hard 2 ???? (PC) Hello, my system is infected with Die Hard 2. I heard it makes the machine slow. Is there any cure for it. Is this also called DH2 virus. Please reply quickly, its urgent Deepak Shenoy ------------------------------ Date: Wed, 14 Dec 94 08:32:08 -0500 From: Volker Riebeling Subject: What kind of virus is this ? (PC) Hi networld, My MSDOS5.0 COMMAND.COM grows from 50031 to 51059, other files grows by different values, only COM-files are infected but not every file. I turn my system off, wait for more than 30sec, then boot with OS/2, delete my boot-partition. boot again with OS/2 make a bootmanager- partition on the beginning and a primary partition of the rest. Now boot with MSDOS5.0, FORMAT C: /U /S . Now boot from harddisk - no change to the COMMAND.COM ! Running a lot of programms, no change! Then I made a CONFIG.SYS with COPY CON C:\CONFIG.SYS - - CONFIG.SYS FILES=30 BUFFERS=20 BREAK=ON Till there/then, no change to the COMMAND.COM ! New boot with harddisk - COMMAND.COM grows to 51059 ?!? Any ideas ??? MCAFFEE 116V found none. I hope it will be no CMOS-RAM-Virus (if they really exist) because it is a EISA-System with DALLAS-Chips, there is no jumper to clear my CMOS-RAM. Please help ! Volker - -- *************************************** Wenn ich koennte wie ich wollte, * Volker Riebeling, Fh-Lippe, Lemgo * dann wollt ich nicht mehr wie ich * ECHO08@NewWorld.han.de * koennte, doch wollt ich wie ich * c51611@fhlip.ee.fh-lippe.de * koennte, dann koennte ich nicht *************************************** mehr wie ich wollte. (Na, kapiert ?) ------------------------------ Date: Wed, 14 Dec 94 10:33:49 -0500 From: your_login@rmii.com (Put Your Name Here) Subject: NewBug [Genb] (PC) I friends computer got hit with this virus. Reported by Scan v117. I`ve tried to remove it, but I`m running into some problems. Booted off of a floopy that I know is clean. But Scan still reports that it is in memory. Does not report this on a different computer. I`ve gone into CMOS and disabled the Harddrive. and booted off of the floppy and still the nasty virus is in memory. I`ve done warm boot, cold boot even left the computer off over night. Short of removing the battery and reseting ALL of CMOS. Any suggestions? The computer is a Packard Bell 486 Multimedia. Thanks, Mike Cobb ------------------------------ Date: Wed, 14 Dec 94 16:08:49 -0500 From: bill.lambdin@pcohio.com (Bill Lambdin) Subject: Nympho Mitosis 2.0 (PC) _____________________________________________________________________ Preliminary analysis of Nympho Mitosis virus by W.H. (Bill) Lambdin Name ] Nympho Mitosis Size ] 787 bytes Infects ] .COM and .EXE files including COMMAND.COM. Scan string ] If this virus is not in the wild, there is no need to ] release a scan string. In the wild ] Unknown ] A-V ] This virus has been forwarded to the following; Vesselin ] Bontchev, David M. Chess, Spencer Clark, Eugene V. ] Kaspersky, FRISK, Dr. Alan Solomon, Wolfgang Stiller, ] Frans Veldman, Tarkan Yetiser. Dmitry O. Gryaznov Armored ] no Detected ] Yes Encrypted ] No Marker ] The virus places an 8 in the last column of the seconds ] field of the time stamp to mark infected files. When ] Nympho Mitosis disinfects a host file, a 2 in placed in ] the last column of the seconds field of the time stamp. Polymorphic ] No Resident ] Yes Size in RAM ] 1088 bytes Stealthed ] Fully stealthed, but very unusual, the virus removes ] itself, when an infected file is opened, but does not re- ] infect when the host file is closed. Text ] [Nympho Mitosis] v2.0 Copyright (c) 1993 Memory Lapse ] Phalcon/Skism Canada Type ] Infects .COM & .EXE files, and the virus is appended to ] the end of the infected host files. Unusual ] Does not trap errors. So DOS reports a write protect error ] when trying to run a file from a write protected diskette. _____________________________________________________________________ Bill 9CCD47F3C765CA33 bill.lambdin@pcohio.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * This is your third Fiance today, amd it's not lunch yet. - --------------------------------------------------------------- PC-Ohio PCBoard PO Box 21411 The Best BBS in America South Euclid OH 44121 DATA: 216-381-3320 pcohio.com FAX: 216-291-2685 - --------------------------------------------------------------- ------------------------------ Date: Wed, 14 Dec 94 16:54:28 -0500 From: townsenb@nntp.sunbelt.net (Bill Townsend) Subject: Re: FORM virus on Doublespaced Drives (PC) Steve W. Taylor (misswt@leeds-metropolitan.ac.uk) wrote: : Has anyone had any experience of getting rid of the FORM virus on MSDOS 6.2 : Doublespaced drives? Clean on NAV, DrSolomon etc. fails. Our only solution : is to reformat. : Help would be appreciated. Have you tried to use McAfee's SCAN v212e? I have found that McAfee's programs clean just about every thing. You can get it off the net at mcafee.com via ftp. If I remember correctly, it is in the /pub/antivirus directory - or it might just be /antivirus. Give that a try. Bill Townsend townsenb@lurch.winthrop.edu ------------------------------ Date: Wed, 14 Dec 94 16:57:29 -0500 From: allen@virtu.sar.usf.edu (Sandy Allen (SAR)) Subject: Trident virus info? (PC) We also have the same virus here. The trident virus shows up with another virus called MtE. McAfee has no info on MtE. Once infected then cleaned, the computer shows and "Unrecoverable EMM386 error". How the devil do we get rid of it? - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Narrowness of mind is often the cause of obstinacy: we do not easily believe beyond what we see." La Rochefoucauld ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Wed, 14 Dec 94 17:58:02 -0500 From: tcarter@magnus.acs.ohio-state.edu (Tim J Carter) Subject: Possible Gold Bug infection (PC) Help!! I loaded a copy of Doom (which version, I don't know), and I have a feeling I have a virus because of it. I just started reading this newsgroup, and I guess it may be the Gold Bug virus. What has happened, mainly, is that my computer will not log ino my network. I have had many things done- changing ports, addresses, cards, etc, and it always seems like the problem is solved until the next day, same problem. Fprot came up once saying it detected a virus, but couldn't find it again. We thougth it must have disinfected it. How do I get rid of this damn thing and are these the symptoms of Gold Bug ( or possible Symptoms??) ------------------------------ Date: Thu, 15 Dec 94 05:12:31 -0500 From: ct9308@mimas.hts.hsa.nl (J.P. Brouwer) Subject: junk-virus on my PC- Help me!!! !!! (PC) Hi netters, Two days ago evil struck me: my new PC (not even a week old) has been infected with the JUNK-virus. Every single .com-file has been damaged. First I tried to use the latest version of MCAFEE, but this anti-virus- program was not able to remove the virus from my system. Since there was not much on my harddisk at that time, I formatted my hd, trying to get rid of this torture. But again, Murphy's law proved to be right. At first, it seemed that the virus had disappeared, but after installing MS-DOS from clean diskettes and rebooting the system, my command.com for in- stance had grown from +/_ 56 to +/_ 57 kb. Checking my system with MCAFEE resulted in a virusreport again. Is there a possibility of this virus being in my BIOS and when so, what should I do?? Please help me, before I go mad...! Replies by Email, ct9308@mimas.hts.hsa.nl Thanx in advance, Kaybee ------------------------------ Date: Thu, 15 Dec 94 17:34:37 -0500 From: dvj57787@elroy.uh.edu (John, Dawn V) Subject: Leonardo - is this a virus ? Cure? (PC) Whenever I run a paint program in windows I get a message saying Leonardo has c caused a general protection fault. Anbody else has run into this problem? Is th ere a solution for this? I tried to find a faq for this group but am in a hurry. Thanks Dawn ------------------------------ Date: Thu, 15 Dec 94 18:05:07 -0500 From: Scott Thorne <-Scott.Thorne-1@pp.ksc.nasa.gov> Subject: Why does my system take naps? (PC) I have noticed just since yesterday that my system stops all apparent activity for 10 to 15 seconds periodically. Very frustrating for me and especially for other users of this system. They start making extra mouse button and key presses, and when the system starts responding again, those extra presses can cause problems. Only changes I know of are ones possibly caused when I installed a bunch of winsock apps during the past 48 hrs. Maybe one of them is causing a problem? Can't understand why though. I have problem when none of them are even running. I hope its not (I hate to say) a virus. Checked everything rigorously before running with W-Scan 2.1.3. I've never detected a virus yet. I checked the key files with sysedit and found nothing to indicate these problems, no significant changes when apps were installed ... unless I'm overlooking something. We have Windows 3.1 with PCTCP stack (ver 2.3). If you have the time, any ideas would be appreciated. Thanks, Scott *** Scott.Thorne-1@kmail.ksc.nasa.gov *** ------------------------------ Date: Thu, 15 Dec 94 21:09:11 -0500 From: ELJA.inc@mixcom.mixcom.com (ELJA inc) Subject: Virus found on Compaq notebook: ANTIEXE (PC) I apologize if this is not the correct newsgroup (comp.virus was empty or non-functional). We have experienced a virus on a Compaq Contura 3/25 laptop system. The PS/2 mouse wouldn't work after the power was turned on. After calling COMPAQ tech. support, the technician determined that it was a virus by having us run CHKDSK and reporting the total bytes of memory. Usually this is 655,360, but in our case it was 654,457 or some number like that. After running McAfee virus-scan version 2.1.1, it eradicated the virus and now the mouse works. Supposedly, COMMAND.COM was not infected, which is good news. The virus found and cleaned was called ANTIEXE, which I understand is similar to the STONED virus. Anybody ever have any experience with the ANTIEXE virus. I am still trying to determine where it came from. Any historical information on the ANTIEXE virus would be most appreciated. Thank you. Mike McWhinney Elja, Inc. - -- ======================================================================== ELJA, Inc. TEL: (414) 357-6771 FAX: (414) 357-9394 email: elja.inc@mixcom.com ======================================================================== ------------------------------ Date: Fri, 16 Dec 94 03:04:24 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Happy birthday PC virus. Please help! (PC) jvizcain@colibri.tid.es (Javier Vizcaino) 6 Dec 1994 16:29:31 wrote: >I have been asked about a PC virus playing "Happy birthday" from time to >time, which resists detection (several antivirus dated moreless mid 94). >Does anyone know? First of all You must look inside Your Autoexec.bat or config.sys and search for something unusual. If You don't see anything wrong, look for some .EXE or .COM files. Compare this files with originals (example: Command.com, EMM386.Exe, etc) in order to stablish if the lenght of the files was altered. (Other way to do this is create some "integrity checking" using some Anti- Virus Products that do this) I recommend: * Integrity Master * Victor Charlie * Thunderbyte Antivirus Exevirs (Virus that attacks .EXE and .COM files) adds its own code to original files modifyng its lenght. In this case (if its a REAL virus) You may note some changes in files. Doing the checking that I refer above You could have an oportunity to found infected files. Kind Regards Ruben Arias - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 16 Dec 94 09:48:10 -0500 From: Mikko Hypponen Subject: Re: F-Prot Professional versus F-Prot Shareware (PC) Julian Ilicki (Julian.Ilicki@soc.uu.se) wrote: > Does anyone know if there is any significant difference > between F-Prot Professional and F-Prot Shareware regarding > scaning for viruses and disinfection capabilities? No, there are no differences in the detection and disinfection capability, except that the Professional version is updated more frequently (once a month versus once every two months) and the Professional updates are sent out little before the shareware version is published. However, there are several other differences between the shareware and the commercial version of F-PROT. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi 'Of course this system supports n\061tion\061l ch\061r\061cters' ------------------------------ Date: Fri, 16 Dec 94 10:33:11 -0500 From: "David M. Chess" Subject: Re: Virus Signatures needed. (PC) > From: Michael Jackson > I have a registered version of ThunderByte (TBAV), and can extract > signatures. Here are the 10 signatures and the names of the viruses: > VCL 86 F6 91 91 E8 F9 01 > PIXEL 50 B8 00 F0 8E > ... Those are much too short to be useful signatures! I'm sure TBAV uses more criteria than that (like an offset from the file's entrypoint, or whatever). If you just scan for 50B800F08E, you're likely to get lots of false positives; that's just PUSH AX ;Save accumulator on stack MOV AX,F000 ; Move the value 0xF000 into accumulator MOV ?S,??? ; Move something into a segment register which I would guess is found in various non-viral programs! If you're looking for virus signatures, you might try Virus Bulletin; they periodically publish some. And of course remember that many current viruses are polymorphic and don't have simple signatures like this... - - -- - David M. Chess \ Femmes aux tetes de fleurs High Integrity Computing Lab \ retrouvant sur la plage la IBM Watson Research \ depouille d'un piano a queue ------------------------------ Date: Fri, 16 Dec 94 10:39:21 -0500 From: "David M. Chess" Subject: Re: What can a virus do ? I need HELP! Please (PC) > From: Michael Jackson > Formating a HD will remove any trace of a virus. Not really, or at least not under all interpretations of that statement. In fact, formatting the hard disk is almost *never* the right thing to do to get rid of a virus infection (although if the virus has gone off and trashed lots of your data, you may have to do it to recover from *that*). - An op-system format (the DOS command "FORMAT") will get rid of a virus in any files in the partition that you format (since it gets rid of the files), or in the partition's boot record (since it rebuilds that), but if you had a virus in the system's Master Boot Record (where many common boot viruses live), it won't touch that, and you'll still be infected, - A low-level format of the hard disk will get rid of any virus on the hard disk (since it gets rid of all the data on the hard disk), BUT - Either kind of FORMAT doesn't help with the copies of the virus on the diskettes that you're plannning to rebuild your system from after the FORMAT. You're likely to re-install the virus as you're re-installing all the software that the FORMAT destroyed. The best way to get rid of a virus infection is with anti-virus software (unless you're a real wizard and enjoy doing such things manually!). Formattting is almost never the right thing to do. - - -- - David M. Chess | "Master, how may I comprehend the One?" High Integrity Computing Lab | "Have you finished your coding?" "Yes." IBM Watson Research | "Then go and compile!" -- Hacker Koan ------------------------------ Date: Fri, 16 Dec 94 10:42:30 -0500 From: "David M. Chess" Subject: Monkey Virus ****** Possible FIX (PC) > From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) > Can i conclude that there isn't an av-programm that can 'clean' > the monkey virus?? Well, you can conclude that, but you'd be wrong! *8) Various anti-virus programs, including IBM AntiVirus, clean up the Monkey viruses just fine. People sometimes want manual fixes, thinking to avoid paying for an anti-virus program, but I think that in the long run just going out and buying a good a-v package is much more cost-effective... DC ------------------------------ Date: Fri, 16 Dec 94 10:50:05 -0500 From: "David M. Chess" Subject: Omicron PT (PC) > From: PHILIP JAMES POWELL > Does anyone know anthing about the Omicron PT virus. It'd help if you'd mention what anti-virus program was using that name. I'll guess, though, that you're dealing with one of the Flip viruses; they contain the string "OMICRON by Psychoblast", and they do infect the master boot record (which contains the partition table, hence the "PT"). Here's a description of the more common strain of Flip, from the IBM AntiVirus online help; IBMAV can detect and remove the virus. DOS EXE, COM, and master boot record infector 2153 bytes When an infected file is executed on a machine with a hard disk, the hard disk's master boot record is altered to reinstall the virus in memory even if all infected files are removed. While the virus is in memory, any file executed becomes infected. On some second days of the month between 10&colon.00 and 11&colon.00 AM, the screen (including the individual characters) turns upside-down if an EGA-compatible display is in use. On some systems, especially those with large fixed disks, the virus will slightly corrupt the DOS partition by altering the DOS boot record's parameter block. This will not normally effect system operation, but some programs may malfunction. For instance, if a system that was once infected by this virus hangs when booted from an OS/2 installation diskette, it may be necessary to remove the DISKCACHE statement from the CONFIG.SYS file on the diskette. - - -- - David M. Chess | IBM Computer Virus Information Center High Integrity Computing Lab | gopher: index.almaden.ibm.com IBM Watson Research | http://index.almaden.ibm.com ------------------------------ Date: Fri, 16 Dec 94 11:30:50 -0500 From: safety@gti.gti.net (Safety Net) Subject: Re: F-Prot Professional versus F-Prot Shareware (PC) Julian Ilicki (Julian.Ilicki@soc.uu.se) wrote: : Does anyone know if there is any significant difference : between F-Prot Professional and F-Prot Shareware regarding : scaning for viruses and disinfection capabilities? No. They are all based on the same scanning engine and TSR, as is our VirusNet and VirusNet LAN products. The main difference is in the extra management facilities that they provide. Regards, Bob Janacek - Technical Director Safetynet, Inc. ------------------------------ Date: Fri, 16 Dec 94 12:07:41 -0500 From: scook@kaiwan.com (Stephen M. Cook) Subject: December1 (PC) My son had his PC knocked down, C: drive FDISK disconnected, and all the files removed. At first we thought it was hardware, then we found the University he goes to all computers (PC) had the same. Does anyone know about this? What it is, and any cures TIA - -- scook@kaiwan.com | http://www.kaiwan.com/~scook | coquo ergo sum ------------------------------ Date: Fri, 16 Dec 94 12:58:46 -0500 From: Greg Davis Subject: Re: HELP! My PC seems to be infected. (PC) >Rinse Balk writes: >Hello Magnus! > >12 Oct 94 18:20, Magnus Carstam wrote to All: > > MC> I don't know if this is anything but I've > MC> heard of a virus called cascade and > MC> a checker of IRQ has given the following > MC> results > MC> IRQ2 Cascade -> IRQ9 > MC> IRQ9 Cascade -> IRQ2. I think you may be confusing hardware and software. There is a Cascade Virus but I don't have any reference right now to tell you about it. It your PC is a 16-bit machine, IBM AT compatible, otherwise kwown as Industry Standard Architecture (ISA) you are looking at the IRQ "redirection" between the two IRQ chips (PICs). The original IBM PC used primarily eight bit chips in its support circuitry. With the move to 16-bits allawance had to be made the output of the second IRQ chip (IRQ9) is redirected (cascaded) to IRQ2 on the first IRQ chip. BIOS/operating system also redirect IRQ2 back to IRQ9. The IRQ signals are used to determine which board in the PC needs service by the processor chip. Greg Davis greg.davis@DaytonOH.ATTGIS.COM The comments and opinions expressed are those of the author and do not reflect those of AT&T or AT&T GIS. DONT TREAD ON ME ------------------------------ Date: Fri, 16 Dec 94 12:58:54 -0500 From: Greg Davis Subject: Re: Monkey Virus ****** Possible FIX (PC) >Rinse Balk writes: >Hello all! > >19 Oct 94 12:33, Internet Gateway wrote to All: > > IG> POSSIBLE FIX TO MONKEY VIRUS: > >Can i conclude that there isn't an av-programm that can 'clean' >the monkey virus?? We have used McAfee to remove Monkey althought the older versions had trouble removing it from flex disks, had to move up to 2.13. The first time we were hit we used Killmonk3. I have recently seen Xmonkey on the 'net to remove Monkey. Greg Davis greg.davis@DaytonOH.ATTGIS.COM The comments and opinions expressed are those of the author and do not reflect those of AT&T or AT&T GIS. DONT TREAD ON ME ------------------------------ Date: Fri, 16 Dec 94 13:35:07 -0500 From: "Steven W. Smith" Subject: Automating scanning on Netware (PC) I've been reading here for years and don't recall seeing a solution for this, but I skip over a lots of stuff. That said... I'd like to reduce our vulnerability to viruses by having a user's PC scanned periodically, with their consent, from a read-only account as they log onto our administrative Netware 3.11 server. The academic servers are read-only and have yet to be infected with anything. Not wanting to re-invent the wheel, I thought I'd check if anyone knows of such a system. I plan to use F-PROT for scanning, as we have a site license. Here's my picture of it; I'm looking for suggestions and improvements: o user logs in o program in system login script runs to check timestamp of a (hidden?) file (or bindery object?) on their local disk. o If it's been more than N days since last scan, prompt user "Scan, n/Y" o If answer is "Yes", log into account that executes F-PROT, then updates timestamp file. If answer is "No", continue with users login. This obviously is only a part of the grand scheme, but I think it's important to get the machines scanned periodically. The advantages from my perspective are: 1- get machines scanned semi-regularly. 2- F-PROT runs from a read-only area. 3- since it's on the server I can keep "everyone's" copy up to date. 4- more user-awareness (I can dream ;-) _,_/| \o.O; Steven W. Smith - Systems Programmer, but not a Licensed Therapist =(___)= Glendale Community College, Glendale Az. USA U syssws@gc.maricopa.edu If you're not a part of the solution, you're part of the precipitate. ------------------------------ Date: 16 Dec 94 16:39:24 +0000 From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin) Subject: Re: HELP! My PC seems to be infected. (PC) Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) writes: >Hello Magnus! >12 Oct 94 18:20, Magnus Carstam wrote to All: > MC> I don't know if this is anything but I've > MC> heard of a virus called cascade and > MC> a checker of IRQ has given the following > MC> results > MC> IRQ2 Cascade -> IRQ9 > MC> IRQ9 Cascade -> IRQ2. > Could someone tell me what that Cascade means? It's not a virus. It just means that IRQ2 etc. is mapped from IRQ9 in the hardware interrupt processors. - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea (for a few hours now, anyway) If anyone has a job lead for a programmer with 23 years experience and a Math PhD, please give a jingle at one of the Email addresses below. 216-5888@mcimail.com 70707.453@compuserve.com arubin@pro-sol.cts.com (personal) ------------------------------ Date: Thu, 08 Dec 94 11:49:00 +0200 From: Noam_Enav@f205.n9721.z9.virnet.bad.se (Noam Enav) Subject: McAfee and Michelangelo (PC) Ahoi There ! Why is it that SCAN removed the Michelangelo virus only from HDs and not from floppies ? Thanks in advance, N o a m E n a v. - --- * Origin: -= Aviv_BBS [CiCS_5] +972-3-6417720 14.4 Multi-Line =- (9:9721/205) ------------------------------ Date: Fri, 16 Dec 94 15:33:21 -0500 From: davidr@searchtech.com (David Resnick) Subject: Keyboard problem (PC) I'm having a problem with a Gateway 2000 4DX-33 and I'm wondering whether it could be a virus. The symptoms are: Pressing the up-arrow key causes the computer to respond as though "Enter" was pressed Pressing the left Alt key causes the computer to respond as though "Cntrl" was pressed Pressing the left Cntrl key causes the computer to respond as though "." (period) was pressed The other keys on the keyboard, including the right Alt and right Cntrl keys all seem to work okay. The label on the back of the keyboard indicates that it is an "Anykey" keyboard, Model 2189014-XX-XXX. I'd appreciate any help or suggestions. Dave - -- David Resnick Search Technology davidr@searchtech.com (404)441-1458 ext. 219 ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 103] ******************************************