VIRUS-L Digest Monday, 6 Feb 1995 Volume 8 : Issue 8 Today's Topics: Student computer labs New Risk from the WWW Christmas Virus? Re: Virus scanner for Unix system (UNIX) Re: Virus scanner for Unix system (UNIX) Natas Virus (PC) PINWORM or PINWORM_G virus: please help! (PC) "Crazy Boot" virus? (PC) New, destructive boot sector virus (PC) ANTICMOS A VIRUS (PC) JUNKIE.BOOT virus in game (PC) What is a TAI-PAN virus? (PC) Stoned virus in memory (PC) DiskSecure-2.42 for Boot Sector Viruses. (LONG!) [Rev.1] (PC) ANNOUNCE: FREE Virus Scanning Shell (PC) Monkey Virus (PC) Norton (PC) Vdefend caused false +ve in Scan (PC) Re: Gen b Stealth Virus (PC) Form Virus - How to Find It? (PC) Found NYB virus on friend's computer....NEED HELP! (PC) JUNKIE.BOOT virus in game (PC) Re: Monkey on "Stacked" Hard Drive (PC) WSCAN214 Profiles (PC) Re: what's wrong? (PC) Anticmos (PC) Scan 2.1.3 and 2KB Virus. (PC) anti-CMOS virus (PC) KHOBAR virus (PC) Re: HELP: My pc has gone braindead.. (PC) Parity Boot virus (PC) Stoned.Standard (PC) Re: Anti CMOS type B (PC) "NoInt" (PC) Need virus info. (PC) Novell Lab protection.... (PC) Virus-Scanning Software (PC) Re: what's wrong? (PC) Possible unknown virus (PC) JUNKIE.BOOT virus in game (PC) AntiCMOS-A help (PC) Stealth [genb] Virus -- Crazy Boot Ver. 1.0 (PC) Is this a virus or logic bomb, or is it a software conflict? (PC) Monkey (Help) (PC) Monkey virus (PC) Help---AntiCMOS & B1 virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 21 Jan 95 10:05:49 -0500 From: brendaa999@aol.com (BrendaA999) Subject: Student computer labs I teach computer technology at a community college. We have about a dozen computer classrooms scattered around campus. Some of the rooms are available for student use when they are classes are not being held in them. I have been put in charge of a committee to set policies for the labs to prevent virus outbreaks. I think this is mainly common sense, but my boss wants me to find out what policies other campuses have. I would appreciate any suggestions or copies of policies from your campus or office. Thanks. Brenda Arnsdorff Meridian, MS ------------------------------ Date: Mon, 23 Jan 95 08:28:09 -0500 From: jmacinty@mv.us.adobe.com Subject: New Risk from the WWW Hello, this is a crossposting from the Forum on Risks to the Public in Computers and Related Systems ; please, ignore it gently if you already have seen this contribution. For the rest of you, I guess, this may be interesting. Best wishes, Otto Stolz *** Please use only my new address at uni-konstanz.de, as all Bitnet *** addresses at DKNKURZ1 have expired, and all Internet adresses at *** Nyx.Uni-Konstanz.de will do so some time in 1995. - ----------------------------Original message---------------------------- At the end of January middle of February this year Microsoft will be introducing Internet Assistant. A HTML creater and WEB browser for Word for Windows 6.0. The WEB browser will read Word 6.0 documents directly and therefore the risk. Word documents can come with programming that will activate on opening. While this has always been a problem document distribution hasn't generally been widespread until soon from now. Three types of things I can see happening. 1. Viral type documents. These are documents that will change your normal.dot and copy itself from document to document. 2. Trojan Horse type 1 documents. These are documents that do something on opening, like delete files etc....And possibly even harmless things. 3. Trojan Horse type 2 documents. Really scary documents that communicate BACK to the web-server without your knowing it and sending additional information gleaned from your machine and or network. There are some truly scary things that could be done with a creative VBA/CGI programmer. It is unfortunate that these risks exist, because otherwise the ability to have "programmable" documents on the web is a really cool concept. But nonetheless risks like these have to be dealt with John ------------------------------ Date: Wed, 25 Jan 95 17:46:05 -0500 From: sgrossin@carleton.edu (seth) Subject: Christmas Virus? Hello. Hs anyone heard of the "Christmas Virus"? Does such a thing exist? Someone I know can't set the date on their computer. It always reverts to December 25, 1995, She suspects it may be caused by this virus. If you have more info, could you post here or send me mail, please? --seth ------------------------------ Date: Wed, 25 Jan 95 13:23:47 -0500 From: "Tom Zmudzinski" Subject: Re: Virus scanner for Unix system (UNIX) Janet Blackburn 5-3861 posted to VIRUS-L Digest Wednesday, 25 Jan 1995 Volume 8 : Issue 4 > Having reread the FAQ to refresh my memory ... > > Is it still the general consensus that scanning for Unix viruses > is not really necessary? > > Would anyone care to educate me further on the subject? IMNSHO, scanning for Unix viruses on a Unix platform is overkill. However, scanning for DOS viruses on a Unix server may be good business. It depends on one's local environment. It's generally more effective to do the scans as part of the DOS boot, but if you've got some PC clients that receive executable files (e.g. Mail Enabled Applications) and "never" get rebooted, you might want to add centralized virus scanning. Just my $.02[*] /z/ [*] Hey, don't laugh! That's a whole dollar after taxes! ------------------------------ Date: Wed, 25 Jan 95 13:36:57 -0500 From: radatti@cyber.com (Pete Radatti) Subject: Re: Virus scanner for Unix system (UNIX) > Date: Fri, 30 Dec 94 10:25:11 -0500 > From: Janet Blackburn 5-3861 > > Having reread the FAQ to refresh my memory ... > > Is it still the general consensus that scanning for Unix viruses > is not really necessary? It depends upon what you are doing and what type of equipment you are using. If you are using a PC running Unix then there are lots of viruses that normally run under MS-DOS that will damage your system. There are Unix only viruses, however they are still rare. There are a number of books that include detailed explanations on how to write viruses for Unix. Most Unix viruses are written in portable script and can move between versions of Unix with no problem. There is also the Chapter-13 virus which is a binary infector. The book it was published in mentioned that it will be much more of a problem when all the Unix companies adopt the common binary object format that everyone keeps talking about. MS-DOS viruses that run on PC Unix system don't have the same effect as they would on their target system. In general they just trash the filesystem since they are writing to places where they "think" it should be. In addition, if you are running an emulator for Dos or Mac then they can become infected. Finally, there is always the Typhoid Mary problem where the Unix system serve out infected files on the network to PCs and MACs. I have personally seen this problem. A real and common problem on all Unix systems are trojan horses. They are not viruses but still create a lot of damage. The last trojan horse that had wide spread coverage over the Internet was called "choosegirl.game". There are also back-doors such as was found in IRC. These forms of attack software are problems and can be located using scanner technology. I believed that the combined problems of viruses, Typhoid Mary syndrome and other forms of attack software were enought of a problem that I wrote the VFind virus scanner for Unix 5 years ago. I and a whole bunch of other people use it to protect their systems. [Moderator's note: Good points, IMHO. Additionally, UNIX trojan horses left behind by intruders are _very_ common. These include back doors, stealth-modified system diagnostic tools, audit record modifiers/editors, etc. Periodically scanning UNIX systems for _changes_ to existing executables (not just PC virus signatures) is _very_ good business. Be sure to NOT rely on standard UNIX checksums (a la /usr/ucb/sum), since the trojans mentioned above are frequently installed on a system using a tool known as "fixit", which modifies the executable's 16-bit CRC to match that of the original that it is replacing; MD5 is your friend. Happy hunting.] From: Peter Radatti Subject: Heterogeneous Computer Viruses In Unix (Unix) The following paper was published by me in 1991. It was carried in a security newsletter but was never published on the net. The paper was written for people that didn't understand the problems of viruses as well as the readers of virus-l so it may be a little slow to read. Feel free to email me any comments but please remember that the paper was written in 1991 not 1995. Pete Technical White Paper Title: Heterogeneous Computer Viruses In A Networked Unix Environment Subtitle: Heterogeneous Computer Virus Infections By: Peter V. Radatti radatti@cyber.com Date: September 1991 This paper is intended to inform the Unix and computer communities about formally undocumented computer virus problems. My observation of these problems were made at heterogeneous Unix network sites and confirmed by discussions with system adminstators at other sites. I believe that these problems are not limited to Unix or heterogeneous networks. Futhermore, I expect the problem to expand in complexity, scope and virulence. I have observed non-Unix personal computers attached to a heterogeneous network that were infected with computer viruses originating from Unix workstations. The Unix systems were not the original point of entry for the viruses. The viruses were dormant while on the Unix nodes and became harmful when they migrated to their target systems. The Unix systems acted as unaffected carriers of computer viruses for other platforms of computers. For the sake of simplicity, I have coined the phrase "Typhoid Mary Syndrome" when describing this problem. Typhoid Mary was an unfortunate New York City carrier of Typhoid Fever in the 1930's. Although Mary was an unaffected carrier of the desease, she unknowingly spread it to members of almost every establishment in which she was employed. The similarities between Typhoid Mary and the computer problem named Typhoid Mary Syndrome are close. Networks and specifically Unix because of its ability to provide networked file systems are susceptible to this problem. Using an example of MS-DOS personal computers on a network of Unix systems, the Typhoid Mary Syndrome would be in effect if the viruses that were targeted against the MSD-DOS platforms migrated to the Unix systems. Once on the Unix system, the viruses remain dormant until they migrate to an MS-DOS platform. I became aware of this problem when I took part in the investigation of an infection of personal computers on a network with a large population of Unix workstations and servers. The virus was manually attacked on the personal computers using virus scanners. During the infection, all of the target platform computers were disconnected from the network and unused. All removable media was checked. Once all infected files were identified and removed, the personal computers were reattached to the network. A few weeks later, a sanity check using the same virus scanner was performed on the target platform with positive results. The same computer virus strain had reinfected the systems. Since the systems and all removable media had been cleansed, the network came under suspicion. In retrospect, this problem had to exist. The use of network file systems that were exported from the Unix platform to the personal computer platforms provided an easy, powerful method of transferring data, including executables. Some network designs proide all third party software from a network disk for ease of maintenance and reduced storage overhead. This easy access provides an open door for viruses. What I found surprising was the fact that the viruses were able to migrate out of the common storage areas into user's home directories. Users had several reasons for performing this action, the most prevalent, to have a "safe" copy of the program. Additional methods of migration may exist that I have not considered. Some migration functions may be a deliberate act of the virus designer. This may be accomplished using a similar design as demonstrated by the Internet Worm which was able to migrate to dissimilar Unix systems and then adapt to its new host enviroment. The most obvious method of reducing the possibility of the Typhoid Mary Syndrome is to carefully regulate and control what type of files can move between platforms. Although it is possible to infect data files, the virus would be rendered harmless in a non-executable file. It is therefore resonable to assume that the movement of data files such as word processing documents across platforms is safe. The examples presented have been the result of direct single action events such as a user copying MS-DOS executables over the network. When the problem enters multilevel action events, or includes time delay events, then the complexity of the problem increases. If the virus copied had been the Friday the 13th virus and the reinfeciton had been delayed by external events, then the results of the infection on the target machine would be felt at a variable time plus the time required to reach activaiton after the initial transfer of the virus to the carrier system. "Effectiver Interval:, Ei = Td + Ta where; Td = delay in transfer to target, Ta = positive value activation interval. A third level of complexity is introduced through the import and export of files. Files can be imported through may sources, including removable media such as magnetic tape. There have been several documented cases of manufacturers delivering shrink-wrapped software which contained viruses. A fourth level of complexity can be introduced through the use of a Wide Area Network such as the Internet or more traditional computer bulletin boards. In addition to the Typhoid Mary Syndrome, there are several other types of harmful software that are native to and targeted against Unix systems. They are trojan horses, logic bombs and worms. Worms require considerable commitment and a strong understanding of the Unix system to write. For the immediate future, worm attacks will be rare due to the skill required to author one. As has happened with computer viruses, that skill may become more common place if anyone publishes the source code to a worm. The increasing availability of Unix systems could combine with a "recipe" to place the required skill and systems into the hands of otherwise ineffective potential authors. Trojan horses and logic bombs are simple programs that can be written by programmers of high school skill level. Trojan horses appear to be performing desired processing while creating damage. They are spread by unsuspecting users who copy them in order to take advantage of their usefulness. Many torjan horses are hidden in computer games. Once recent trojan horse that was spread via the Internet was called "choosegirl.game". Logic bombs or time bombs are simple programs that wait for an event to occur such as midnight and then damage the system. A simple time bomb might wait until 10 minutes before a scheduled system backup and then destroy the file system. Viruses that directly target Unix systems have been written and demonstrate under controlled research conditions. The first computer virus ever written was for the Unix system. Viruses are not currently a major problem for Unix, however, as the popularity of the Unix system grows, so will the treat. Anyone wishing to comment on this paper may contact me: Peter V. Radatti CyberSoft, Inc. 1508 Butler Pike Conshohocken, PA 19428 USA Telephone: (610) 825-4748, FAX: (610 825-6785 E-mail: radatti@cyber.com Copyright, September 1991 by Peter V. Radatti. All rights reserved. - ----------------------------------------------------------------------------- Post Note: July 1994 This paper now appears to me as very dated. The number of viruses that directly attack Unix systems has increased, althrough they are still small in number. Currently there are the AT&T Virus, (aka: Usenix Virus), the Ls Virus and the Chapter-13 Virus. There is also a compiler defiler "virus", however it has not been found in the wild and therefor does not count. In addition, Unix systems now directly execute Microsoft Windows, MS-DOS and Apple Mac executables in emulation mode. These emulators are all directly suspectable to attack. Besides emulation mode, Unix executing on IBM PC type platforms have been found, in the wild, executing MS-DOS viruses. The MS-DOS virus infected Unix executables. The processor and BIOS are both the same and many viruses can co-exist on both platforms. I assume that the same will be true of Apple Mac(s) and all other systems that can run Unix. Pete End of Document ------------------------------ Date: Sat, 21 Jan 95 13:11:42 -0500 From: Roberto Parker Subject: Natas Virus (PC) We have developed a Natas Specific Antivirus. Roberto Parker ------------------------------ Date: Sun, 22 Jan 95 18:14:44 -0500 From: tlipschultz@delphi.com Subject: PINWORM or PINWORM_G virus: please help! (PC) I believe that I'm infected with the PINWORM or PINWORM_G virus. My symptoms: 1) Disk access speed has greatly slowed down. It now takes 15 seconds to load an EXE that used to run instantly. 2) Missing conventional memory. I used to have 593,000 bytes free, now I only have 540,000 bytes free, and nothing new was loaded or changed. I noticed that my total memory is also down to 634k. The huge reduction in memory happened overnight. 3) Both MSAV and SCAN (unreleased version) have been altered. Upon using them, I receive the DOS error "Program too big to fit into memory". Each program uses very little conventional memory. Oddly, VSAFE was not effected. 4) Some programs cause the computer to lock up 50% of the time. DEFRAG causes the computer to lock up each time I attempt to use it. If I do indeed have thwe virus, I acquired it almost exactly 24 hours ago from the posting of this note. There is another theory that these problems are the result of a bug in the MS-DOS 6.2 command MSBACKUP. If ANYONE knows how to remove this virus and/or bug, please email me at TLIPSCHULTZ@DELPHI.COM. If you're curious, VSAFE is not detecting anything. Thanks for whatever help you can give! -Thomas Lipschultz ------------------------------ Date: Mon, 23 Jan 95 06:41:55 -0500 From: usmmmx10@ibmmail.com Subject: "Crazy Boot" virus? (PC) hi all, do you know any disinfector for "Crazy Boot" viruses ? thanks in advance Best Regards, Feridun ------------------------------ Date: Mon, 23 Jan 95 10:11:38 -0500 From: runefr@ifi.uio.no (Rune =?iso-8859-1?Q?Fr=F8ysa?= ) Subject: New, destructive boot sector virus (PC) We've detected a new and destructive boot sector virus. The virus has been sendt to frisk@complex.is, and analysed by Norman Defence System. McAfee has also been contacted. The virus has atleast existed sice 16 dec 1994. The byte sequence C2 33 D2 26 can be found on floppy and HD boot sectors of infected systems, but I don't know if this is a "propper" signature. /Rune ------------------------------ Date: Mon, 23 Jan 95 20:56:07 -0500 From: Bill Staples Subject: ANTICMOS A VIRUS (PC) I recently downloaded the new McAfee Viruscan and found to my suprise, the ANTICMOS A VIRUS on the boot sector of my hard disk and all other floppies of mine. All attempts to figure out what the virus is or how to get rid of it have failed. (McAfee says it can't be cleaned). Has anyone heard of this virus? Does anyone know the cure...... Thanks for any help. Email: wjs@destiny.itsnet.com ------------------------------ Date: Mon, 23 Jan 95 22:24:57 -0500 From: noel@rdt.monash.edu.au (Noel Rode ) Subject: JUNKIE.BOOT virus in game (PC) I spent the day yesterday getting rid of the JUNKIE.BOOT virus of my cousins PC. I think if I had V214 of McAfee scan it would have helped a lot. I located the source where I got the virus from. It came from a game called "Quarter Pole" by Microleague. Each of the four (write protected) disks were infected. I'm sure it must have been said many times before but please be sure to scan ANY new disks purchased before making use of them. Noel Rode - -- - ------------------------------------------------------------------------- - - Noel J. Rode (Ph.D Candidate) e-mail: noel@rdt.monash.edu.au - - - Dept. Robotics and Digital Technology Phone : +61 3 905 3575 - - - Monash University, Clayton Campus, Fax : +61 3 905 3574 - ------------------------------ Date: Tue, 24 Jan 95 08:19:14 -0500 From: d94ba@efd.lth.se (Bjoern Andreasson) Subject: What is a TAI-PAN virus? (PC) I suspect that my computer has been infected whith a virus, called TAI-PAN. The virus attacks my files randomly, no special type of file is the target of infection. I noticed that some files all of a sudden has becom 438 bytes larger. When I took a closer look I noticed that in the end of all the "infected" files (in the code) there was an appendix saying "Whisper presenterar Tai-Pan". I could just track approx. 240 bytes of the virus in the program. The other 198 bytes was for me untraceable. Now I have a few questions? 1) What damage does the virus do? 2) Is there an antidote to the virus and where can I find it? 3) How can I remove it? Please contct me if you have an answer to my question! Thank you! d94ba@efd.lth.se ------------------------------ Date: Tue, 24 Jan 95 13:50:47 -0500 From: z3f192@ugrad.cs.ubc.ca (Catherine Maxcy Chow) Subject: Stoned virus in memory (PC) Hello, A stoned virus search string is found in the partition table of my computer, I do not know how to get rid of it, I tried several scanning sofeware, they seems not able to remove the virus from the memory. It also said that the boot sector is infected. Please let me know how to get rid of it! Thanks you. Cathy ------------------------------ Date: Tue, 24 Jan 95 15:04:07 -0500 From: Mike Ramey Subject: DiskSecure-2.42 for Boot Sector Viruses. (LONG!) [Rev.1] (PC) The following message contains my experiences with Padgett Peterson's DiskSecure-2.42 program. I was prompted to try using it because it is highly recommended in "Robert Slade's Guide to Computer Viruses" which was recently published. I think it is a program well worth using. This information is provided without warranty or guarantee of any kind; I hope it proves useful to you. -- Mike Ramey (-mr) This weekend I learned how to use Padgett Peterson's DiskSecure-2.4 programs to protect the hard-disk against boot-sector infectors. The original documentation may be confusing; but the "Quick Start" instructions _do_ work. I recommend you read _all_ the documentation before attempting to use the program, ... and then try it out. I cannot recommend this program for distribution to naive users, because it makes changes to the hard-disk MBR (Master Boot Record) and requires careful reading of the documentation, and careful installation to ensure recovery later. Once installed, this program does _not_ require periodic updating; it is an MBR change-detection (and recovery) program. After reading (and re-reading) the complete documentation, I used the "Quick Start" instructions to install the program. If you plan to install this program, here are some things I would recommend: - Cold boot from a known-clean floppy. - Use a virus scanner to insure you do not _already_ have an infected boot sector (which will be saved by DiskSecure for deinstallation). - Reboot from the computer's hard disk, so that DiskSecure can determine (during its install process) what the true operating environment will be (what TSR's will be running etc.). - Be sure the directory C:\DS2\ is not already in use. (There is not yet any provision in DS2INST.BAT for specifying another directory.) - Ensure that C:\AUTOEXEC.BAT and C:\CONFIG.SYS are *not* read-only. The DiskSecure install procedure will ask permission to modify these files; if they are read-only, they cannot be modified. The original AUTOEXEC and CONFIG files will be saved in the C:\DS2\ directory. (I modified my copy of DS2INST.BAT to avoid this problem by using the REPLACE command.) - Manually modify CONFIG.SYS and AUTOEXEC.BAT to run DS2CHK.EXE and DS2MOVE.SYS from C:\BAT\ or other utility directory. (I modified DS2INST.BAT, DS2.B, DS2.C to do this during installation). This allows you to remove the C:\DS2\ files to prevent modification of DiskSecure, such as unauthorized installation of a password. - It appears that the reply checking in DS2INST.BAT is not thorough; I have not yet determined what happens if you hit a random key. - During installation, be careful to strike the response keys just once! It may be that accidental multiple responses will be used on the next questions. (I have not tested this.) - During installation, when asked "Do you wish to save the partition table(s) to a file?", be sure to answer 'y'. - If you choose to rename the DSRPART.DAT (MBR/Partition-Table recovery file/program), do NOT use 'anyname.COM'; an error at the end of the DS2INST.BAT file deletes all *.COM files from the installation/working directory. I modified DS2INST.BAT to fix this. - Be _sure_ to copy the MBR-Recovery file to a diskette for future emergency recovery _and_ identify the specific computer it came from. Use an inventory or serial number, such as U1234567.COM for the copy. {This file is called DSPART.DAT in the documentation but is created as DSRPART.DAT during installation. It will recover the MBR; _but_ if you execute the wrong DSRPART.COM file; the entire hard-disk will become unreadable!!! Be careful.} I just now tried infecting a Disk-Secure'd computer with the 'Form' virus by doing a power-off reboot from an infected floppy disk. I got the usual "Non-System disk ..." from the floppy. When I removed it to continue booting from the hard-disk, I got: Vector Error DiskSecure Recovery Mode (C)1993 Padgett Recovery pursued, Press any key to continue Starting MS-DOS... [ and other usual messages ] and there was _no_ evidence of infection after completion of the boot! I wish the message above were more explicit, but perhaps there are conditions where the recovery cannot be performed automatically at boot time ("Azusa" is mentioned in the documentation). I recommend this program highly. To get the program, see below ... - ------ forwarded from the comp.virus newsgroup ------ ~From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) ~Date: 2 Jan 94 16:48:11 GMT ~Newsgroups: comp.virus ~Subject: diskse24.zip - DiskSecure: Protects hard disk partition table (PC) [ DiskSecure-2.42 (an updated version) is available from: [ host: oak.oakland.edu [ directory: pub/msdos/virus [ file: dsii242.zip [ URL: ftp://oak.oakland.edu/pub/msdos/virus/dsii242.zip [ See below for alternate file name at other sites. -mr ] DiskSecure v2.4 Disksecure II is a BIOS level antivirus program for Intel platforms that combines integrity management with BIOS definitions. It uses multiple redundancy to detect/block/remove MBR and DBR infections. DS II is also the only known antivirus program that will also block MBR "droppers". Used in conjunction with a BIOS that selects booting from the hard disk only, will provide compete protection against low-level infections. DiskSecure II is compatable with Novell Netware for use on Novell servers. Provision is also made for booting from a standard floppy disk following authentication. It also includes a simple access control (password) mechanism that cannot be bypassed by DOS 6 F5/F8. DiskSecure II is copyrighted FreeWare (no charge for individual use) - custom logos/features/switches are available on a site/corporate license basis. Uploaded by the author. Padgett - - - - A. Padgett Peterson padgett@tccslr.dnet.mmc.com - ----- Mike Ramey wrote to Padgett: >This is what I found (after much searching): >ftp://oak.oakland.edu/pub/msdos/virus/diskse24.zip is version 2.4 >ftp://oak.oakland.edu/pub/msdos/virus/dsii242.zip is version 2.42 >This is very confusing. ... -mr - ----- From: padgett@tccslr.dnet.mmc.com [That is true only at oak.oakland.edu]: everywhere else in the world it is just DS242.ZIP (DS followed by the version number). Seems OAK already had a DSxxx.ZIP in its directory services area and we negotiated the DSIIxxx.ZIP since that was closer to DS2. [The file name] Is standardized now. [It] Will always be either DSxxx or DSIIxxx with the last three being the version number. [edits by -mr] Batch (and related) files for DiskSecure-2.42 as modified by Mike Ramey: - ------------------------------------------------------------------------ DS2INST.BAT =========== @echo off echo off :: Modified DS2INST.BAT file for version 2.42 of DiskSecure2. :: :: 94-12-07; modified by Mike Ramey to ... :: - install boot-time files in C:\BAT\ directory; :: - use REPLACE to update/overwrite read-only files; :: - (at ENDIT) *not* delete C:\DS2\*.COM files [ this caused :: deletion of DSRPART.DAT file if it was renamed ANYTHING.COM ]; :: - at end exit to C:\DS2\ directory (for cleanup & DSRPART copy); :: :: START rem Invocation syntax: DS2INST [drive DS files are on] [drive to install] rem e.g. DS2INST a d (do not include colons) if DS2INST is invoked rem without any parameters, it will assume from a & to c set d1=%1 set d2=%2 if t%d1%==t set d1=a if t%d2%==t set d2=c echo. echo Use this installation file only if DISKSECURE II is on a floppy disk echo (A/B) and you are installing to a hard disk. echo Otherwise install manually (see documentation) echo. echo DISKSECURE II will be installed from drive %d1% to drive %d2% echo press control-C to exit if incorrect, (enter) to continue. echo. echo. Modified by Mike Ramey to install and run DS2CHK.EXE echo. and DS2MOVE.SYS in/from the C:\BAT\ directory, which will be echo. created if it does not exist. All other DiskSecure-II files echo. -- including the DS[R]PART.DAT/.COM (MBR Recovery File) -- echo. will be copied to the (default) C:\DS2\ directory, which echo. will be created if it does not exist. echo. Also modified to use dos REPLACE command to update echo. the AUTOEXEC.BAT and CONFIG.SYS files. This will work even echo. if they are write-only files! echo. echo. STOP NOW and be sure the C:\DS2 directory does NOT exist echo. -- to avoid overwriting any user files !!! Then re-run. echo. pause echo. :: Change to the hard disk [C:]. -mr %d2%: %d1%:chk512 if not errorlevel 1 goto secok echo. echo Invalid disk sector size (over 512 bytes) - cannot install DiskSecure II goto endit :SECOK %d1%:dos32.com if not errorlevel 1 goto lowdos echo. %d1%:chkint13.com if errorlevel 1 goto intok echo. echo Interrupt 13 vector report invalid. If QEMM386 "stealth" not in effect, echo you may have a virus already. In any event, DiskSec II cannot initialize. echo If no virus is found, you may have to boot from a "bare floppy" to install. goto endit :INTOK echo. echo Interrupt 13 validated. echo. :: Already on hard drive [C:], change to root directory. -mr cd \ :: Insure [C:]\BAT\ directory exists. -mr echo on MD \BAT echo off :: md \ds2 cd \ds2 :: Change to floppy disk [A:]. -mr %d1%: echo. echo Copying DS2 files to %d2%:\ds2 copy *.* %d2%: >nul :: echo. Copying DS2CHK.EXE and DS2MOVE.SYS to the %d2%:\BAT directory. REPLACE DS2CHK.EXE %d2%:\BAT\ /R REPLACE DS2CHK.EXE %d2%:\BAT\ /A ATTRIB +R %d2%:\BAT\DS2CHK.EXE REPLACE DS2MOVE.SYS %d2%:\BAT\ /R REPLACE DS2MOVE.SYS %d2%:\BAT\ /A ATTRIB +R %d2%:\BAT\DS2MOVE.SYS :: :: Change to the hard disk [C:]. -mr %d2%: echo. echo Do I have permission to add DISKSECURE II verification to your echo AUTOEXEC.BAT file ? (y/n) ask if errorlevel 89 if not errorlevel 90 goto addbat goto next :ADDBAT if not exist c:\autoexec.bat goto newbat echo. echo The original AUTOEXEC.BAT is being saved as %d2%:\ds2\autoexec.ds copy c:\autoexec.bat autoexec.ds >nul :: copy ds2chk.exe c:\ >nul {copied to C:\BAT\ with REPLACE commands -mr} copy ds2.b+autoexec.ds autoexec.bat >nul REPLACE AUTOEXEC.BAT C:\ /R goto dsconfig :NEWBAT copy ds2.b c:\autoexec.bat >nul goto dsconfig :NEXT echo. echo It is suggested that the command lines in file DS.B be added to your echo startup procedure to verify proper operation of DISKSECURE. goto dsconfig :DSCONFIG echo. echo This PC is currently running DOS 3.2 or above. If this is correct for echo normal operation then do I have permission to add DISKSECURE II echo DS2MOVE.SYS to your CONFIG.SYS file ? echo This will make maximum available memory to DOS. (y/n) ask if errorlevel 89 if not errorlevel 90 goto addcon goto next2 :ADDCON :: copy ds2move.sys c:\ >nul {copied to C:\BAT\ with REPLACE commands -mr} copy c:\config.sys config.ds >nul echo. qemmst.com if not errorlevel 127 goto cok2 echo. echo If QEMM DOSDATA.SYS and DOS_UP.SYS are present in CONFIG.SYS echo DS2MOVE.SYS may be installed only AFTER these drivers. echo DS2INST will place DS2MOVE.SYS LAST in CONFIG.SYS. To install echo first, you will have to install the device driver manually. echo. echo Do you wish to continue (y) or skip the update of CONFIG.SYS (n) ? ask if errorlevel 89 if not errorlevel 90 goto cok1 goto next2 :COK1 :: echo If QEMM DOSDATA.SYS and DOS_UP.SYS are present in CONFIG.SYS ... if not exist c:\config.sys goto newsys echo The original CONFIG.SYS is being saved as %d2%:\ds2\config.ds copy config.ds+cr.lf+ds2.c config.sys >nul REPLACE CONFIG.SYS C:\ /R goto dsin :COK2 echo. echo The original CONFIG.SYS is being saved as %d2%:\ds2\config.ds copy ds2.c+config.ds config.sys >nul REPLACE CONFIG.SYS C:\ /R goto dsin :NEWSYS copy ds2.c c:\config.sys >nul goto dsin :NEXT2 echo. echo It is suggested that the command line in file DS2.C be added to your echo CONFIG.SYS file for minimal memory use. :DSIN disksec2 goto endit :LOWDOS echo. echo The DiskSecure files have been copied to your hard disk however you echo are not currently running DOS 3.2 or above. While the DiskSecure echo protection does not require this, the instalation procedure does echo to be able to properly set up the automatic recovery feature. echo. [ NO files have been copied. -mr ] echo. echo Consequently, you will have to boot the machine with DOS 3.2 or above echo and run DiskSec2.exe manually or rerun this .BAT file to fully install echo the product. goto endit :ENDIT :: del *.com del ds2inst.bat del ds2.c del ds2.b del cr.lf set d1= set d2= cd A:\ cd C:\DS2 C: echo. :: END DS2.B ===== @echo off :: --- Remove DS2 before updating DOS or repartitioning fixed-disk! c:\BAT\ds2chk.exe >nul if not errorlevel 1 pause DS2.C ===== ; --- Remove DS2 before updating DOS or repartitioning fixed-disk! device=C:\BAT\ds2move.sys DS2REMOV.BAT ============ @echo off echo off echo. echo DS2REMOV.BAT echo 94-12-07; revised and corrected for version 2.42 of DiskSecure2. -mr echo. echo This batch file will remove DiskSecure files from the root directory echo of the fixed disk (C:\DS2CHK.EXE and C:\DS2MOVE.SYS). It will leave echo the C:\DS2\ directory and all files in it; these may be deleted if echo desired. The DISKSEC2 program will be invoked to replace the echo DS2-modified MBR (Master Boot Record) with the original MBR. echo. echo WARNING - AUTOEXEC.BAT and CONFIG.SYS files will be returned to echo condition found when DiskSecure was first installed. echo. echo Be sure that none of the files C:\AUTOEXEC.BAT, C:\CONFIG.SYS, echo C:\DS2CHK.EXE, and C:\DS2MOVE.SYS are read-only; this will echo prevent complete removal and restoration of these files. echo. echo Enter Ctrl-C to exit without removing. echo. pause :START if not exist config.ds goto nogood if not exist autoexec.ds goto nogood if not exist disksec2.exe goto nogood echo DiskSecure II removal routine requested if exist c:\ds2move.sys del c:\ds2move.sys >nul if exist c:\ds2chk.exe del c:\ds2chk.exe >nul copy config.ds c:\config.sys >nul copy autoexec.ds c:\autoexec.bat >nul disksec2.exe goto endit :NOGOOD echo. echo ERROR -- no changes have been made. echo. echo DiskSecure batch removal can only be requested while in the echo same directory as CONFIG.DS, AUTOEXEC.DS, and DISKSEC2.EXE. echo This is usually the C:\DS2\ directory. echo. echo If changes were _not_ made to AUTOEXEC.BAT and CONFIG.SYS when echo DiskSecure was installed, removal may be accomplished by using echo the DISKSEC2.EXE program alone. echo. :ENDIT === End-of-Message -mr === ------------------------------ Date: Wed, 25 Jan 95 09:15:48 -0500 From: "Mark Hazen" Subject: ANNOUNCE: FREE Virus Scanning Shell (PC) On Wed, 04 Jan 95 at 17:49:17, Garrett Mead wrote: >Subject: Novell Lab protection.... (PC) > >I am interested in providing the best overall virus protection for my >Netware 3.11 100 user Novell network. Last semester I had a really >bad run-in with viruses (and for those of you running campus labs, >finals week is bad enough WITHOUT the added problems of viruses :) ) I suppose it's time I made the announcements. I've been working for the past half year or so, in my copious spare time, on a virus scanning shell that uses F-Prot shareware over a network, and provides centralized reporting to any user. The shell was written ENTIRELY in 4DOS scripting, which is called by running a .BAT file. Ergo, you do NOT have to be using 4DOS as a shell on workstations to use this scanner; you ONLY have to have 4DOS installed somewhere on your network. I decided not to rewrite this in C... I left it in script format because 1) it's a pretty polished system as is, and 2) because EVERY NOVELL NETWORK ON THE FACE OF THE EARTH IS DIFFERENT... everyone has special needs. In the script form, it's VERY easy for anyone who can write a batch file to customize the script for their own special needs. The system includes a comprehensive installer, easy to follow documentation, and has been beta tested. There are a few features I will change as time goes by, but it is in a completely functional form. This product is FREE... but because of my schedule, I really can't spend my work hours supporting it. If there are bugs, I will fix them and release updates, but I have had a 2 month beta-test period and have cleaned up the two (!) bugs we found. I use this system to keep our network clean. Please note: I am requesting that the folks who -do- use this system, please register the shareware packages F-Prot and 4DOS, both of which are invaluable to anyone maintaining DOS networks. To obtain this package, ftp to: ftp.fcs.uga.edu and grab the file: vste202.zip Let me know how it works for you, and if there are other features you would like to see! -Mark H. - ---------------------------------------------------------------------- */ Mark Hazen mhazen@fcs.uga.edu /* */ Computer & Network Support hazen@phoenix.cs.uga.edu /* */ College of Family & Consumer Sciences phone: (706) 542-4864 /* */ FCS Users:Send Service Requests/Questions to helpdesk@fcs.uga.edu/* ------------------------------ Date: Wed, 25 Jan 95 10:22:32 -0500 From: jlaws@IndyNet.indy.net (James R. Laws) Subject: Monkey Virus (PC) Help. I have been plagued with the Monkey Virus. It keeps coming back. Last night I removed the Monkey Virus once again and now my computer won't recognize the "D" drive. I have tried everything that I can think of including running the setup program again. When I went back to my hard drive installation software it recognizes the "D" drive and the drive tests out perfectly. I can't see the "D" drive in either DOS or Windows. How do I get rid of the Monkey Virus permanently? I have been removing it with my Microsoft Antivirus program located on my "C" drive but it keeps coming back. How do I restore my "D" drive? Any help would be greatly appreciated. Please E-mail me at jlaws@indy.net. Thanks!!!! ------------------------------ Date: Wed, 25 Jan 95 10:25:00 -0500 From: hiscrp@leonis.nus.sg (C R Pennell) Subject: Norton (PC) I have Norton Utilities V. 8. This ahs a TSR program which notifies me if any change is attempted to a co. or.exe file. IE if something tries to change or delete one of those files it flashes a warning. How much extra protection does this give against viruses, over and above the VIRSTOP which comes with F-PROT? Richard Pennell History National University of Singapore hiscrp@leonis.nus.sg ------------------------------ Date: Wed, 25 Jan 95 11:51:51 -0500 From: "A.Appleyard" Subject: Vdefend caused false +ve in Scan (PC) After a virus alarm had got a student in my department to virus check his home PC, SCAN 213 said that his PC had Israeli Boot. This was a false positive caused by a 1991's vintage VDEFEND antiviral which was still in his PC and activated by a line in AUTOEXEC.BAT (His PC is second-hand and came with FOUR! hard disks in, each 32 megabytes, C: D: E: F:) ------------------------------ Date: Wed, 25 Jan 95 13:51:26 -0500 From: jrushin@ibm.net Subject: Re: Gen b Stealth Virus (PC) carlson@PrimeNet.Com (Don Carlson) writes: >This is a type of boot sector virus that encrypts data from the boot >sector and hides it away. It messes with interupt 13, taking control of >the dialog between the hard disk and the floppy disk. The virus doesn't >destroy a lot of files (at least I hope), but it doesn't allow you to run >Windoze (bad, if you keep databases in there). > >I detected the virus using VShield from McGafee, a memory resident >program that is always looking for signs of viral activity. >Unfortunately, I haven't found any utilities that will successfully kill >this virus (clean 117 from McGafee won't do it and their BBS is always >busy lately). Does anyone know of a utility already written to kill this >bugger? my colleague came to me today; he inadvertently booted with a diskette someone had given him in his disk drive. after he rebooted, he could not run Windows. when he executed the WIN command, the screen would blank as though Windows was loading, then he was returned to a DOS prompt. we booted the machine with a clean, write-protected boot disk that has McAfee SCAN 2.1.1 (212). Scanning the hard drive, the Scan program reported that the Master Boot Sector was infected with Stealth_C. Utilizing the /Clean option of the Scan program we were able to remove this virus. john r. - ------------------------------------------------------------------ but if i'm content with a little, enough is as good as a feast - ------------------------------------------------------------------ jrushing@attmail.com or jrushing@squeaky.free.org or john.rushing@syslink.mcs.com or jrushin@ibm.net - ------------------------------------------------------------------ ------------------------------ Date: Wed, 25 Jan 95 14:13:13 -0500 From: jcarr@crl.com (John B. Carroll) Subject: Form Virus - How to Find It? (PC) I've detected the Form virus at work but have not been able to locate the EXE that is installing it (ie I rewrite the boot sector and stay clean for a few days, then it reappears). I've tried McAfee and the MS Windows Anti-virus program. Any help is appreciated . . . John - -- <><><><><><><><><><><><><><><><><><><><><><><><><><> <> John B. Carroll - jcarr@crl.com <> <> "Put pepper in my coffee . . ." - R.E.M. <> <><><><><><><><><><><><><><><><><><><><><><><><><><> ------------------------------ Date: Wed, 25 Jan 95 16:52:50 -0500 From: kg5ai@w5ac.tamu.edu (Myles Barkman - KG5AI) Subject: Found NYB virus on friend's computer....NEED HELP! (PC) Yesterday, I found what VIRUSCAN calls the NYB virus. It infects the Master Boot Record. I tried to use Clean to remove it but that didn't work. I found in some documentation to try FDISK/MBR. That worked on the hard drive. Now I'm trying to clean up his infected floppies (Windows set up disks). Now, I found that I can use SYS to overwrite the boot record and get rid of the virus, but I was wondering if there was a better way of fixing the floppies without making them bootable using SYS. I have not been able to find any sources that mention the NYB virus. Someone I know found it (I think) in VSUM or some virus database. I don't have F-PROT but I will try to find it. Anyone have any ideas how to disinfect floppies without making them bootable? - -- Myles Barkman KG5AI kg5ai@w5ac.tamu.edu College Station, Texas Ag '92 ------------------------------ Date: Wed, 25 Jan 95 20:57:17 -0500 From: noel@rdt.monash.edu.au (Noel Rode ) Subject: JUNKIE.BOOT virus in game (PC) I spent some time recently getting rid of the JUNKIE.BOOT virus off my cousins PC. I think if I had V214 of McAfee scan at the time it would have helped a lot. The only problem I had with scan was that I had to reboot the machine each time scan found and tried to remove the JUNKIE.BOOT virus from a diskette. Scan would find and remove the first detected virus and any following viruses found would be reported as "JUNKIE.BOOT+emr" and could not remove the virus. The virus would also be loaded into memory when first detected and hence needed to be rebooted. I located the source where I got the virus from. It came from a game called "Quarter Pole" by Microleague. Each of the four (write protected) disks were infected. I'm sure it must have been said many times before but please be sure to scan ANY new disks purchased before making use of them. Noel Rode - -- / Noel J. Rode (Ph.D Candidate) e-mail: noel@rdt.monash.edu.au \ | Dept. Robotics and Digital Technology Phone : +61 3 905 3575 | | Monash University, Clayton Campus, Fax : +61 3 905 3574 | \ Melbourne, Victoria, Australia 3168 ...Hi There. / ------------------------------ Date: Wed, 25 Jan 95 22:07:11 -0500 From: scotts95@aol.com (ScottS95) Subject: Re: Monkey on "Stacked" Hard Drive (PC) > I've come across a computer with the Monkey virus, it also has Stacker > installed on it. When I start the process to eradicate the virus by > booting from a floppy, I can no longer "see" the drives since the > drivers are invoked via the config.sys file. I've tried duplicating > the config.sys file, and appropriate binaries, on the boot floppy > without any luck. you have one of the New, Improved monkey viruses :-< like we fought through at work. one would Expect that stacker, like TroubleSpacey, would have a container file you had as the "fat drive", and a core that would diskette-boot as a C:. however, we have fought a Monkey that was so re-infected that using a Linux A1 diskette's fdisk for inspection, had five junk partitions created by the bug that quite hid things. booting "clean" (sorta) off the infected hard disk, with only the stacker binaries and no other TSR, etc stuff, you could run McAfee evaluation 2.14 or higher with the /clean parm and it might go. I find that killmonk.exe did the job for us. I believe the anonymous ftp path is oak.oakland.edu \pub\ms-dos\virus to get to that fine little program. scotts95@aol.com ------------------------------ Date: Thu, 26 Jan 95 00:55:17 -0500 From: waygee@pipeline.com (Waygee Ho) Subject: WSCAN214 Profiles (PC) Have a quick question concerning the Mcafee WSCAN214 program. When I run a profile (lets say for a b), the software will proceed to scan the floppy drives. My question is: Is there any way to configure the profile so that it will automatically try to clean as well. This would be useful for our users since it would be a simple point and click operation. Any help would be appreciated. WayGee ------------------------------ Date: Thu, 26 Jan 95 01:15:37 -0500 From: jmward@cs.UCR.EDU (Jonathan Ward) Subject: Re: what's wrong? (PC) Ryan Garth McKay wrote: >First question I have for the experts is as follows. >Is it possible for a virus to hide in a gif/jpeg? I suppose it is theoretically possible. If the virus is a simple overwriter and doesn't check what type of file it's going to infect, it could conceivably write itself onto random datafiles, including gifs/jpeg. As long as it slaps itself on the head of the file, you could effectively "execute" the graphics file, as dos would just load it into memory like a com(of course, you'd have to change the filename extension to .COM). I've seen viruses that will do this, and change the extension as well. However, it's rather stupid for a virus to do such a thing, as graphics files aren't executed, only read into memory. The only way for a virus to run, and thus spread, is for it to be executed by the CPU - simply loading it into memory won't do any good(unless by some freak chance an errant program decided to set CS:IP right where the virus happened to be - but I've never heard of it happening: it would be a freak occurance at best). >Is it possible for a virus to be split between two of the above >and become active when the two files are downloaded? Yes, it could be split by a compression program. No, downloading the files wouldn't put it together much less activate it. See above. > >My brother found a virus before it was too late. It was located >in two seperate gif/jpeg files. Using the Windows based antivirus >program he thought he cleaned up the mess... But we now think some >really bad damage occured. When we turn the machine on we get the >standard bios stuff then the starting ms-dos line and then >nothing.... > I'd like to know how the virus got active(if you have one at all) if it was lying only in graphics files. The only way I could think of is if the files you downloaded were the type that had an imbedded viewer combined with the image in one file - in which case the virus would see it as a regular executable and merrily infect away. >It remains on that line for a long long time without any hard >disk reads. At this time I though the command.com file wasn't >there so I figured that I'll do a boot with a boot disk... Well >the next problem arrived. This is a computer with a built in >security program and will not let me get at the hard drive when I >do this. Sounds like you forgot a BIOS password or something. Such setting would be in the BIOS setup. If you forgot the password, one way to get rid of it is to open up the machine, and pull the lithium battery pack from the motherboard for a few seconds, which will effectively wipe the CMOS memory, and resotre it to its original state. You'll have to reconfigure, but you'll be in. Depending on the make of board, some motherboards have a jumper that you can bridge to reset the BIOS. > >Any idea's would be welcomed, > >Thanks > >Ryan > -Jonathan Ward - -- Who is General Failure, and why is he trying to read from my disk?? Email to: | http://neuromancer/~drdrums jmward@cs.ucr.edu | University of California, Riverside drdrums@dostoevsky.ucr.edu | Dept. of Computer Science ------------------------------ Date: Thu, 26 Jan 95 01:43:11 -0500 From: david@mindlink.bc.ca (David de Lisle) Subject: Anticmos (PC) I had this virus last month on a PC based system. Nothing worked on the floppies. However the virus will not transfer to tape so I was able to backup to tape. format the floppies and then put the data back to the floppies. Problem solved. _ _ | \ /\ \ / | | \ | | /__\ \ / | | | |_/ / \ \/ | |_/ david@mindlink.bc.ca _________________________________ Vancouver Canada____ ------------------------------ Date: Thu, 26 Jan 95 04:05:47 -0500 From: excoffier@cemag-lyon.fr (David Excoffier) Subject: Scan 2.1.3 and 2KB Virus. (PC) I'm working in a Research Institute, and lotsa computers have been infected with 2KB Virus. We're using VScan 2.1.213 for trying to eradicate this virus. But here's the problem : 2KB Virus is perfectly removed when it's found on HDD, and on a majority of floppy disks. But sometimes, Vscan CAN'T remove this virus from floppy disks, whether it detects perfectly that it is 2KB Virus !!! Where does it come from ? Is it a new version of 2KB Virus? Why can't Vscan able to remove it ???? What can I do to clean these disks, it's very important !!! Does Mc-afee has an E-Mail in France? Thank you for your help and comments. David EXCOFFIER. excoffier@cemag-lyon.fr ------------------------------ Date: Thu, 26 Jan 95 08:50:50 -0500 From: Paul Owen Subject: anti-CMOS virus (PC) What can the wise old heads of the Internet tell me about the anti-CMOS virus ? I have seen it on several PC's and have noticed those with MSAV are unable to detect it. PC's with the IBM anti-virus software (such as the Thinkpad) seem able to identify it however. What is the best way to protect aginst it ? ------------------------------ Date: Thu, 26 Jan 95 08:59:32 -0500 From: twe@rix01.lyngbyes.dk (Torben Wendelin) Subject: KHOBAR virus (PC) I have found the KHOBAR virus on my PC. Does anybody know about it, What it does and how to desinfect? thanks Torben ------------------------------ Date: Thu, 26 Jan 95 09:30:14 -0500 From: "Robert Smith jr." Subject: Re: HELP: My pc has gone braindead.. (PC) taylord@tartarus.uwa.edu.au (David Taylor) wrote: > > Hi all, > I am very worried. I think my PC has a rather bad little virus. It has > been getting slower and slower, and last night I did a system info test > (Norton SI) and the reported cpu speed was down to 15.6 from a usual 65+. > Anyone having any idea about what may be causing this please email me. Dave, Sounds like Michaelangelo or another boot sector virus. Go to a CLEAN computer, create a system disk, and get a good cleaning program on it. Boot from the disk and run the cleaner. Good Luck .... Bob ------------------------------ Date: Thu, 26 Jan 95 11:07:32 -0500 From: orjan.vestgote@innitor.se Subject: Parity Boot virus (PC) Maybe you already have discussed Parity Boot virus: A few days ago I found that my machines were infected by the "B-variant of the Parity_boot virus". The boot sector on two HDD's were infected and, in addition, about 60 floppies. I estimate that the virus entered my systems 4 - 6 months ago. In November I got a strange error message when I started Windows, saying something about the 32-bit disk handler being lost. This made me suspicious, but I had only MSAV available and this program found nothing. A few days ago my kids ran the F-PROT anti virus and the program discovered Parity Boot. The virus had done no harm so far and it was fairly easy to disinfect the disks and the floppies. To my surprise, today, two days after the disinfection, the CMOS setup data had been wiped away, all zeroes !!!. My HDD was of course inaccesible, but since I had saved the setup parameters and by booting from floppy, I could easily make the system work again. That machine is only 6 weeks old, and the battery should be healthy for at least another year. Has anoyone of you discovered a connection between Parity Boot virus and a zeroed CMOS setup ? Regards Orjan ------------------------------ Date: Thu, 26 Jan 95 12:22:31 -0500 From: univel.telescan.com!jag@Lehigh.EDU (John Guynn) Subject: Stoned.Standard (PC) I just found a virus on a machine that F-prot 2.16 calls Stoned.Standard - unknown but it will not disinfect. Luckly fdisk /mbr kills it. Is this a new variant of stoned? John Guynn jag@univel.telescan.com Network Admin Telescan Inc. "If you're killed, you've lost a very important part of your life." - --Brooke Shields ------------------------------ Date: Thu, 26 Jan 95 13:15:08 -0500 From: bsinet@cloudnet.com (Bankers Systems) Subject: Re: Anti CMOS type B (PC) I've seen this virus too (Anti CMOS A and B). I removed them with an FDISK /MBR (master boot record) - make sure that you clean boot first. This seemed to clean them up. Hope that helps! Lake Hennig (LakeH@ix.netcom.com) wrote: : Using McAffee's antivirus 2.14 (Beta), I was able to identify a virus : called Anti-CMOS type B on the boot record of a diskette (3.5"). I did : not find it on my hard drive, but I think it must have been at some : point. (I just re-installed DOS 6.22 from scratch - not an upgrade-- : and believe that may have eliminated the virus from my hard drive.) I : had been experiencing problems with the hard drive when I powered on -- : also with the video card. I don't know if this was related to a virus : or just equipment failure. : Does anyone know what Anti-CMOS Type B actually does? (The name alone : is scary.) And how do you clean it from a floppy? (The McAffee software : 2.14 can't yet). I've tried sys A: but that doesn't do it. ------------------------------ Date: Thu, 26 Jan 95 13:25:41 -0500 From: ai660@freenet.buffalo.edu (Brian J. Beiter) Subject: "NoInt" (PC) Does anybody know what a "NoInt" virus is? What does it do? How do I get rid of it? Thanks for any help. - -- ------------------------------ Date: Thu, 26 Jan 95 14:48:39 -0500 From: dorothy@svpal.svpal.org (Dorothy Brown) Subject: Need virus info. (PC) I recently found the virus Monkey-B on my computer and am now looking for more info on the virus itself, and on the best antivirus software. Any info. would be greatly appreciated. Thanks in advance, Dorothy Brown dorothy@svpal.org ------------------------------ Date: Thu, 26 Jan 95 15:44:17 -0500 From: Iolo Davidson Subject: Novell Lab protection.... (PC) gmead@scs.unr.edu "Garrett Mead" writes: > I am particularly interested in a process that a Machintosh program (I > think it is Gatekeeper or something thereof) uses. I believe that this > program does a scan anytime a new floppy is placed in a drive. Is there > an IBM equivalent? Yes, several DOS anti-virus TSRs scan floppies for boot sector viruses on the first access. > 2) If you run any other protection other than what is inherent in Novell, > what products do you use? Which should I not use? There are lots of anti-virus NLMs to run on the server in addition to anti-virus DOS software run on the workstation. Which? Both "Virus Bulletin" and "SECURE Computing" have recently run comparison reviews. > If you can, please include any information you have on the products that > you recommend (ie ftp sides or addresses and telephone numbers) I think you will want a commercial package for a network based strategy. - -- SPECIAL SEATS WHO SCRATCH RESERVED IN HADES THE LADIES FOR WHISKERED GUYS Burma Shave ------------------------------ Date: Thu, 26 Jan 95 16:11:36 -0500 From: mukher@cc.gatech.edu (Amitesh Mukherjee) Subject: Virus-Scanning Software (PC) I am trying to find out what are the premium virus-scanning software (most up-to-date), who sells them etcc.......Phone numbers, adresses will also be helpful.....Please e-mail to ` mukher@cc.gatech.edu Thanx.......... Amitesh Mukherjee - -- -Amitesh Mukherjee (mukher@cc.gatech.edu) ------------------------------ Date: Thu, 26 Jan 95 16:25:46 -0500 From: amf94@ecs.soton.ac.uk (Andrew Forster) Subject: Re: what's wrong? (PC) Ryan Garth McKay (rgmckay@acs.ucalgary.ca) wrote: : First question I have for the experts is as follows. : Is it possible for a virus to hide in a gif/jpeg? : Is it possible for a virus to be split between two of the above : and become active when the two files are downloaded? I would say, it is possible to hide a virus in a gif or jpeg.. It is possible to hide anything in a gif or jpeg within reason, BUT, the virus would have to be extracted by something - a viewer or something.. Viral code may be located in a viewer program - did you download anything to view it? Alternatively, the virus infected a gif file down to poor programming - it searched for *.* instead of executables. : My brother found a virus before it was too late. It was located : in two seperate gif/jpeg files. Using the Windows based antivirus : program he thought he cleaned up the mess... But we now think some : really bad damage occured. When we turn the machine on we get the : standard bios stuff then the starting ms-dos line and then : nothing.... There's always the possibility that the gif / jpeg data matches a viral signature enough to trigger a false alarm.. You used a windows based anti-virus and you refer to "STARTING MS-DOS..." - you weren't using Microsoft Windows Anti-Virus were you? I personally have a very low opinion of the Microsoft / Central Point Anti-Virus products, for example, they don't spot any of the viruses created by VCL (Virus Creation Laboratory) and this is an entire toolkit! : It remains on that line for a long long time without any hard : disk reads. At this time I though the command.com file wasn't : there so I figured that I'll do a boot with a boot disk... Well : the next problem arrived. This is a computer with a built in : security program and will not let me get at the hard drive when I : do this. Have you tried pressing F5 about the same time as the "starting ms-dos" message? It may be a file in your config.sys that is corrupt, such as himem.sys or emm386.exe.. F5 will give you a clean boot bypassing entirely the config.sys and autoexec.bat : Any idea's would be welcomed, : Thanks : Ryan Andy ______________________________________________________________________________ Department of ECS, University of So'ton amf94@ecs.soton.ac.uk PGP 2.6ui Public Key Available On Request "640K ought to be enough for anybody." - Bill Gates, 1981 - ------------------------------------------------------------------------------ ------------------------------ Date: Thu, 26 Jan 95 18:07:18 -0500 From: wnc1081@rigel.tamu.edu (W. Neil Craig) Subject: Possible unknown virus (PC) Howdy everyone, I have been using MS Anitvirus to check my PC and this afternoon I discovered that all the system files, most of the files in my dos directory, and several dozen files in my windows directory had grown in size. The majority of these files are .exe and .com files. MSAV doesn't detect a virus, but just notes the change in the file size. I am running MS DOS 6.2.2 and Windows 3.1, and I have only experienced a few mild problems so far with some of the affected windows apps. If you know anything about this or could give me some help it would be greatly appreciated. Neil Craig Mechanical Engr. Undergrad, Texas A&M University College Station, Texas, USA email: WNC1081@rigel.tamu.edu ------------------------------ Date: Thu, 26 Jan 95 19:05:14 -0500 From: noel@giskard.rdt.monash.edu.au (Noel Rode ) Subject: JUNKIE.BOOT virus in game (PC) I spent some time recently getting rid of the JUNKIE.BOOT virus off my cousins PC. I think if I had V214 of McAfee scan at the time it would have helped a lot. The only problem I had with scan was that I had to reboot the machine each time scan found and tried to remove the JUNKIE.BOOT virus from a diskette. Scan would find and remove the first detected virus and any following viruses found would be reported as "JUNKIE.BOOT+emr" and could not remove the virus. The virus would also be loaded into memory when first detected and hence needed to be rebooted. I located the source where I got the virus from. It came from a game called "Quarter Pole" by Microleague. Each of the four (write protected) disks were infected. I'm sure it must have been said many times before but please be sure to scan ANY new disks purchased before making use of them. Noel Rode. - -- / Noel J. Rode (Ph.D Candidate) e-mail: noel@rdt.monash.edu.au \ | Dept. Robotics and Digital Technology Phone : +61 3 905 3575 | | Monash University, Clayton Campus, Fax : +61 3 905 3574 | \ Melbourne, Victoria, Australia 3168 ...Hi There. / ------------------------------ Date: Thu, 26 Jan 95 19:44:38 -0500 From: raymoon@DGS.dgsys.com (Raymond Moon) Subject: AntiCMOS-A help (PC) Does anyone have any information on a Virus identified as AntiCMOS-A? I have detected it using IBMAV and McAfee. Calling McAfee reveals that it attacks the CMOS of "certain" computers. McAfee could not identify which computers were vulnerable. I have Zeniths 386 and 486s. Thanks in advance. Ray ------------------------------ Date: Thu, 26 Jan 95 20:10:24 -0500 From: fruits@cgs.edu (Eric Fruits) Subject: Stealth [genb] Virus -- Crazy Boot Ver. 1.0 (PC) Yesterday I got the Crazy Boot stealth virus. After talking to McAfee tech support, I discovered it is a stealth boot sector virus. After two hours with tech support we managed to fix it. I did not lose any data and now my machine is running fine and virus-free (as far as I know). Here's how to remove the virus and fix your machine: 1. Boot off a DOS installation/setup disk. 2. A:\>fdisk /mbr This will replace the master boot record on your disk. There is a chance you will lose data--I did not. 3. Power down your machine. 4. Boot off the A:\ drive with a clean, write-protected floppy that contains Norton Disk Doctor. 5. A:\>ndd /rebuild 6. Answer YES to every question NDD asks you (you do not have to create an undo file, though) 7. Boot of the A:\ drive with a clean, write-protected floppy that contains the virus scanner of your choice. 8. Scan for viruses -- it should come up clean. Done. Good luck. Eric Fruits fruits@cgs.edu ------------------------------ Date: Thu, 26 Jan 95 20:44:09 -0500 From: Sick Puppy Subject: Is this a virus or logic bomb, or is it a software conflict? (PC) There is a problem affecting some of our users and we don't know if it is a virus, a logic bomb, or simply some kind of software conflict. We have a couple of small Banyan LAN's with a couple of servers. Users load Windows off the Banyan server when they first log into the network. Sometimes a thin black line appears about one inch down from the top of the screen and slowly extends across the screen. When it reaches the other side, there is a kind of beep. These lines can be minimized or maximized. A few minutes later another line appears about 1.1 centimeter/1 quarter of an inch and slowly extends across the screen. After several of these lines going horizontally across the screen, the same kind of lines start to extend vertically down the screen. If the PC is left for about 30 minutes, the screen changes to multiple colors. It looks very pretty but makes Windows useless. This affects some users but not others. We have scanned the PC's and servers with three different anti-virus programs and found nothing. Is this a virus or a logic bomb? Or is it a software conflict? Sick Puppy the Cat_Eating_Dawg in the basement of Bellcore ------------------------------ Date: Thu, 26 Jan 95 21:58:16 -0500 From: liy@ecf.toronto.edu (Yi-Fan Y LI) Subject: Monkey (Help) (PC) Hi Recently, my PC is infected by some virus. F-Prot reports that it is Stoned.Empire.Monkey.A and McAfee recognizes it as Monkey_1 virus. But F-Prot failed to clean it. Since the boot track is modified by virus, system doesn't recognize the harddisk if it starts from a clear system flopy. The McAfee does not work either (or I did not find the right way to do it). How do I remove it???? Any help is highly appreciated. Thanks again. Yours Y.Li - -- ------------------------------ Date: Thu, 26 Jan 95 22:14:05 -0500 From: mdf2@po.cwru.edu (Mike Facemire) Subject: Monkey virus (PC) I just finished removing (supposedly) the Stoned.Empire.Monkey virus from my pc with the killmonk program on novell software. Everything is now fine except for the fact that i cannot access my A drive. Whenever i hit a: from the c-prompt i get the message Drive not ready. This happens whether or not there is a disk in the drive. The drive does not even spin to check if there is a disk there or not. I cannot boot from this drive (my only other than the hard drive) either. I went into my BIOS setup and made sure that it was properly set to be a 1.44M 3.5" drive. I rebooted and then checked the status of the drives using Microsoft diagnostics (msd). This showed that the A drive was a 360K 5.25" drive. What is happening?? Is there a way to fix this other than totally reformatting everything?? Thanks for any help. Mike Facemire mdf2@po.cwru.edu ------------------------------ Date: Thu, 26 Jan 95 23:52:01 -0500 From: wnc1081@rigel.tamu.edu (W. Neil Craig) Subject: Help---AntiCMOS & B1 virus (PC) Howdy everyone, Using F-Prot 2.16, I have detected 2 viruses. When you boot my PC from the hard disk, and then run F-Prot, it warns me that the AntiCMOS virus string (it doesn't specify A or B ) is resident in memory, and refused to go farther, and instructs me to boot the machine from a clean system disk. When I boot from a clean system floppy disk and then run F-Prot, it finds the B1 virus in the master boot record, but doens't find the AntiCMOS virus. If anyone could give me any help, it would be greatly apprecitated. Sincerely Neil Craig Mechanical Engr. Undergraduate Texas A&M University College Station Texas USA email: wnc1081@rigel.tamu.edu ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 8] ****************************************