VIRUS-L Digest Tuesday, 7 Feb 1995 Volume 8 : Issue 9 Today's Topics: Possible virus/worm alert (VM/CMS) Re: what's wrong Looking for a Particular Fictional Book Question: Virus email groups? OS/2 Viruses (PC-OS/2) Re: Virus scanner for Unix system (UNIX) HELP -- AntiCMOS & B1 virus (PC) Re: Dos Master Boot Sector Virus from H#ll! (PC) Re: Form.a on Doublespaced Drives. (PC) Re: List of UnRemovable viruses? (PC) Anticmos Virus (PC) Re: what's wrong? (PC) Form virus (PC) Is the following a virus?? (PC) Partition virus, Dr Solomon hangs when attemptin rec. (PC) form-virus (PC) Re: List of UnRemovable viruses? (PC) Re: what's wrong? (PC) Can someone tell me about LITTLE_R (PC)? F-Prot TSR for Windows? (PC) Re: ANTICMOS B ... Need help removing... (PC) Integrity Master (PC) Dr. Solomon's virus tool kit (PC) Recommendations for behaviour blocker? (PC) What is the best virus checker (PC) Re: Answers about NYB (with interesting "payload") (PC) Re: Characters disappear on printouts !! (PC) Virus SAMPO?! (PC) JUNKIE.BOOT virus in game (PC) form and dbltrbl (PC) Re: AntiEXE virus (PC) Re: Novell Lab protection.... (PC) Filer Virus (PC) Mr. Ed virus?? (PC) Newbie: Genp virus infecting our computers please help!!! (PC) Carmel anti-virus for Windows Beta (PC) I just got junked - I think (PC) dir | more shows 2 extra files (PC) 32-bit antivirus for Win95 (PC) Grover PC virus (PC) Predator II virus (PC) help needed on khobar virus (PC) Re: MONKEY Virus? (PC) Virus or bug? (PC) Re: About memory scanning (PC) Re: About memory scanning (PC) Help on [GenP] virus needed urgently!!! (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 06 Feb 95 19:01:42 -0500 From: john riehl Subject: Possible virus/worm alert (VM/CMS) I have come across another worm on bitnet. There is a module called "Love module", which runs on vm systems. It displays some text on the screen (non-english), while it reads the * names file, sends everyone a copy, and erases itself. I caught one coming in from SAKAAU03 (Saudi Arabia). Time to update your filters. sigh. jr (john riehl) ------------------------------ Date: Fri, 27 Jan 95 10:02:24 -0500 From: srsst26+@pitt.edu (Scott R Stepnick) Subject: Re: what's wrong First, if you have/had a virus it _wouldn't_ be in the .gif or jpeg. All viruses (or virii if you prefer) are executable code. You couldn't exectue a text file could you? Of course not, nor can you execute a gif or jpeg. When you use a viewing program it uses the data in the gif or jpeg to construct the picture. It does not, however, actually execute any code (except for the viewing program's of course!), so no, your gif or jpeg cannot become infected. If you had a really badly written virus infect your system , then it could write its code to the the gif or jpeg (notice I say badly written virus, any normal one only looks for .com or .exe files). However, that would only cause you to either have: a) A gif or jpeg that now had uneeded bytes and that your viewer wouldn't be able to read anymore or b) At best, a picture, albeit distorted. Now is it possible to infect the viewing program... well yes, it is executable and _may_ have started it. Did you use some shareware viewer that was ftp'ed? Lastly, about the not being able to access the hard disk. Are you sure it is a "security program"? Some virii (hey, I prefer it over viruses) infect your partition table, some encrypt it. If it is encrypted or otherwised owned by the virus, then you won't be able to log to your hard disk. Try using TBAV ( ftp oak.oakland.edu /pub/msdos/virus). Download and unzip it. Boot from a clean floppy and then run TBAV. It might be able to help you more than I can here... - -- - -- _|_|_|_|_|_|_ | | ------------------------------ Date: Sat, 28 Jan 95 17:31:20 -0500 From: leon.durivage@Plexus.COM (Leon Durivage) Subject: Looking for a Particular Fictional Book About 12 years ago a college friend told me of a book he was reading that described the first computer virus I had ever heard of. I can't remember the title and I never did read it. I would appreciate any help locating it. If memory serves me, it was about a computer science major who decided to write a self-replicating piece of code. After discovering that the comp-admin people could quickly set-up traps to delete it, he added modules for encryption, network comms, self-modifying, etc. He soon realized that he could not control the thing and deleted the whole thing, including source code. Or so he thought... Several years later, theres a knock on the door and some very official-looking people want to talk with him about a program they've found kicking around the world's networks.... I know this isn't much to go on, but it's all I've got. If you happen to know the title or author, please e-mail me at leon.durivage@plexus.com My appologizes if I've butchered the plotline... it was awhile ago, you know. Thanks...Leon ------------------------------ Date: Mon, 30 Jan 95 21:56:43 -0500 From: S1104145@cedarville.edu (Daniel Hatfield ) Subject: Question: Virus email groups? I went looking through the FAQ for this newsgroup for any sort of a virus email group or posting address for regular virus technical articles. I was wondering does anything of this sort exist? Anyplace I can get articles on viruses or current research in the field? Any texts for technical explanations of how viruses work? Any help would be appreciated. Dan Hatfield EMAIL: s1104145@cedarvill.edu ------------------------------ Date: Fri, 27 Jan 95 13:00:51 -0500 From: "Sean E. Carolan" Subject: OS/2 Viruses (PC-OS/2) Folks, I support a site that was recently (and virulently) infected by the Monkey B and Green Caterpillar viruses; MacAfee took care of them on the DOS systems and on OS/2 systems that we could boot from a DOS diskette. My questions: If a virus infected files on an HPFS filesystem, how could I eradicate it? Are there any native OS/2 anti-virus products out there, shareware or otherwise? Are there any known native OS/2 viruses out there, anyway? Thanks, Sean sean.carolan@lincroftnj.ncr.com sean.carolan@lincroftnj.attgis.com ------------------------------ Date: Sat, 28 Jan 95 06:21:27 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus scanner for Unix system (UNIX) jblackb@aeha1.apgea.army.mil (Janet Blackburn 5-3861) writes: >Is it still the general consensus that scanning for Unix viruses >is not really necessary? I would say that *scanning* for Unix viruses was impractical. However, *checking* for their existence, using other methods, such as running a decent integrity checker might be sensible - it will detect unauthorized modifications as well. - -frisk ------------------------------ Date: Fri, 27 Jan 95 00:06:29 -0500 From: wnc1081@rigel.tamu.edu (W. Neil Craig) Subject: HELP -- AntiCMOS & B1 virus (PC) Howdy everyone Using F-Prot 2.16, i have detected 2 virus on my PC. When I boot from the hard disk and then run f-Prot, it tells me that a AntiCMOS is resident but not nessacerily active in my memory. F-Prot instructs you to reboot from a clean floppy system disk. When I do this and the run F-Prot, it tells me that the B1 virus is in the MBR, but doesn't detect the antiCMOS virus anywhere. F-prot lists both of the viruses as irrepairable. If anyone knows anything about this or knows a way to repair short of reformatting, I'd love to hear from you. Whatever it is has allready corrupted my system files, most of my DOS files, and several essential files for Windows. Any help would be greatly appreciated. Thanks Neil Craig Student, Texas A&M University email: wnc1081@rigel.tamu.edu ------------------------------ Date: Fri, 27 Jan 95 02:47:14 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Dos Master Boot Sector Virus from H#ll! (PC) stauffer@casbah.acns.nwu.edu (Christopher Stauffer) writes: >I've got a recurring virus. I first cleaned it off with f-prot. An >admittedly old version that just wrote over it. Well, the F-PROT overwite of boot sector viruses is functionally equivalent to doing a FDISK /MBR, which is quite efficient in killing the virus, and usually has exactly the same effect as locating the original MBR and restoring that. > Now it is back. Then somebody has just re-infected the machine .... I guess that the virus was also an some diskettes that were lying around, and then accidentally left in the machine when it was turned on. > Will a newer version of F-Prot do the trick The old version "did the trick" .... the problem is that you just re-infected the machine...there is no way a *scanner* like F-PROT can prevent that. - -frisk ------------------------------ Date: Fri, 27 Jan 95 07:45:20 -0500 From: Mikko Hypponen Subject: Re: Form.a on Doublespaced Drives. (PC) Prashant Meswani (P.Meswani@lmu.ac.uk) wrote: > We at Leeds Metropolitan University have been hit by the Form.a virus. > This problem is easily resolved on non double-spaced machines, but not > on machines with this software. At the moment, all we can do is format > the hard drive and redo the machine from scratch. Form infects the DOS boot sector of the hard drive. When DoubleSpace is in use, drive letters are changed, and the infected boot sector ends up on drive H:, I:, J: or so. The compressed drive C: has only a pseudo-boot sector, which is never infected. In order to get rid of Form and other boot viruses that infect the DOS boot record on hard drives, choose one the following options: 1) Boot from a clean floppy with the disk compression disabled; either delete the dblspace.bin/drvspace.bin file or use DOS version 4.x or 5.x on the boot floppy, then check drive C: 2) Boot from a normal (MS-DOS 6.x) floppy, but instruct your scanner to check all drives or at least drive H: (or whatever your host drive is) instead of scanning just drive C: 3) Use a scanner that always checks all boot sectors, even if you tell it to scan drive C: only (plug: F-PROT does this). So, do not format the machines, Form can be disinfected from DoubleSpaced drives. "Unless a virus has actually -gone off- and overwritten data, it's never necessary to reformat to get rid of a virus"; well said (by Vesselin in VIRUS-L Vol 7 issue 43). - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Computer virus information available via WWW at http://www.datafellows.fi ------------------------------ Date: Fri, 27 Jan 95 07:51:08 -0500 From: Mikko Hypponen Subject: Re: List of UnRemovable viruses? (PC) Kevin Kenney (kenney@netcom.com) wrote: > I'm looking for a (hopefully short) list of viruses or virus families > that due to bad writing, destructive tendencies, or whatever, can never > be adequately removed from a system. You can get (an incomplete) listing of such viruses by using the VIRLIST.LIS file provided with F-PROT. Try this command in a directory with that file; "find "Impossible" < virlist.lis > impossib.lis". Then inspect the resulting impossib.lis file. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi Computer virus information available via WWW at http://www.datafellows.fi ------------------------------ Date: Fri, 27 Jan 95 10:10:22 -0500 From: med30035@leonis.nus.sg (WONG HER SHANN) Subject: Anticmos Virus (PC) My computer has now acquired a virus that seems to corrupt the cmos, the system is unstable and sometimes unable to start ( not even the ram count.) If it starts it usually signals that the cmos is corrupted and sometimes all info in the cmos is wiped out. Even if you are lucky to boot up the system hangs after a while. Using a clean floppy I booted up the comp but after 1 min the comp refuses to recognise the floppy drive A. Further attempts in trying to use drive A ( changing cmos numerous times) resulted in failure. Even the write protected floppy seemed corrupted and fdisk doesn't do a thing. So what can I do? Thanx in advance. ------------------------------ Date: Fri, 27 Jan 95 11:16:41 -0500 From: ee_d277@kingston.ac.uk (Andrew Coyte) Subject: Re: what's wrong? (PC) If BIOS won't let you access the hard disk, then you could try mementarily shorting out the Lithium battery on your motherboard, which (should) make bios forget eberything and then ask you to re-enter your PC's settings. Then you should be able to find the BIOS option to turn off hard disk security. Or course, you will make a note on paper of your CMOS settings before blasting them all..... Andrew Coyte ------------------------------ Date: Fri, 27 Jan 95 11:29:26 -0500 From: terje.christensen@thcave.bbs.no (Terje Christensen) Subject: Form virus (PC) I've got form-virus on a doublespaced,two-disked pc.How do i remove the infection without formatting the disks? From:Terje Christensen,Norway - --- > RoseMail 2.55>: - ---- +-----------------------------------------------------------------------+ + Thunderball Cave BBS +47 2256 7018 / 2256 8809 (USR V.FC / V.34) + + -- thcave.bbs.no -- Oslo Norway -- + +-----------------------------------------------------------------------+ ------------------------------ Date: Fri, 27 Jan 95 15:43:16 -0500 From: gama%kensvs.dnet.dec.com@mrnews.mro.dec.com (Rui Gama) Subject: Is the following a virus?? (PC) A few days after I installed a new sound card (and sound soft) my floppies are gone. First I thought the 3 1/2 floppy drive was bad. I went out and bought a new one. Nope. Since the IDE card is built in, I asked a friend to borrow his and tested it also using new cables. I tried to boot from a clean floppy. Nope. I always get a SECTOR NOT FOUND READING DRIVE (A: or B:). But if I boot from C: always have a clean boot. The problem is just accessing the floppies, both to read or format. Could this be a virus problem, a battery, or simply a motherboard that went south? Thanx, Rui Gama ------------------------------ Date: Fri, 27 Jan 95 18:07:34 -0500 From: "Sven Junkerg\erd" Subject: Partition virus, Dr Solomon hangs when attemptin rec. (PC) I've got a partition virus om my ThinkPad 750C called Ripper. When I try to use my rescue disk and recover the bad partion table, the computer just freezes. Infact all 750C that we have in our office does. Is there any other software that can recover partition virus. I've alreade replaced the bootsector whit a new and fresh one. All help appreciated Sven Junkerg=E5rd ------------------------------ Date: Fri, 27 Jan 95 20:01:43 -0500 From: terje.christensen@thcave.bbs.no (Terje Christensen) Subject: form-virus (PC) I've got doublespace in DOS using two harddisks on my PC;all infected by 'Form' virus.How do I remove the infection without formatting the disks? From:terje.christensen@dasan. thcave.bbs.no - --- > RoseMail 2.55>: - ---- +-----------------------------------------------------------------------+ + Thunderball Cave BBS +47 2256 7018 / 2256 8809 (USR V.FC / V.34) + + -- thcave.bbs.no -- Oslo Norway -- + +-----------------------------------------------------------------------+ ------------------------------ Date: Sat, 28 Jan 95 06:16:43 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: List of UnRemovable viruses? (PC) kenney@netcom.com (Kevin Kenney) writes: >I'm looking for a (hopefully short) list of viruses or virus families that >due to bad writing, destructive tendencies, or whatever, can never be >adequately removed from a system. Most of the viruses in this group are the overwriting ones. A list of most of those is included below. There are also those that cannot be removed due to bugs - for example those that change the initial SS:SP value, but do not preserve the original one. I do not have a list of those. - ------------------------------------- Overwriting viruses: AB Abraxas.1170 Abraxas.1171 Abraxas.1200 Abraxas.1214 Abraxas.1304 Abraxas.1508 Abraxas.1518 Anarchy Assassin Atomic.371 Atomic.480 Bad_Brains.554.A Bad_Brains.554.B Bad_Brains.570 Belorussia BloodLust Budo.1000 Budo.890 Burger.1310 Burger.382.A Burger.382.B Burger.382.C Burger.382.C Burger.405.A Burger.405.B Burger.405.C Burger.405.D Burger.405.E Burger.405.F Burger.441.A Burger.441.B Burger.498 Burger.505.A Burger.505.B Burger.505.C Burger.505.D Burger.505.E Burger.505.F Burger.505.G Burger.505.H Burger.505.I Burger.505.J Burger.505.K Burger.505.L Burger.505.M Burger.505.N Burger.509 Burger.512.A Burger.512.B Burger.536 Burger.542 Burger.560.A Burger.560.AA Burger.560.AB Burger.560.AC Burger.560.AD Burger.560.AE Burger.560.AF Burger.560.AG Burger.560.AH Burger.560.AI Burger.560.AJ Burger.560.AK Burger.560.AL Burger.560.AM Burger.560.AN Burger.560.AO Burger.560.AP Burger.560.AQ Burger.560.AR Burger.560.AS Burger.560.AT Burger.560.AU Burger.560.AV Burger.560.AW Burger.560.B Burger.560.C Burger.560.D Burger.560.E Burger.560.F Burger.560.G Burger.560.H Burger.560.I Burger.560.J Burger.560.K Burger.560.L Burger.560.Liquid Burger.560.M Burger.560.P Burger.560.Q Burger.560.R Burger.560.S Burger.560.V Burger.560.W Burger.560.X Burger.560.Y Burger.Pirate Burma.442.A Burma.442.B Burma.563 Civil_War.444 Consumed Cop-com.286 Cop-com.287 Copyprot Crazy_Lord Darth_Vader.253 Deicide.665 Deicide.666.A Deicide.666.B Deicide.666.C Dev_X EVCZ ExeError FCB Fasolo.149 Fasolo.176 Genvir.1376 Genvir.Wednesday Grog.1207 Grog.456 Grog.557 Grog.Aver_Torto Grog.Bruchetto Grog.Delirious Grog.Enmity_1_0 Grog.Enmity_2_0 Grog.Enmity_2_1 Grog.Hop Grog.Il_Mostro Grog.Sempre Grog.Trumpery Gyro HLLO.13793 HLLO.17690 HLLO.3008 HLLO.3521 HLLO.3800 HLLO.3816 HLLO.4032.A HLLO.4032.B HLLO.4096 HLLO.4240 HLLO.4340 HLLO.4372 HLLO.4505.A HLLO.4505.B HLLO.4742 HLLO.4778 HLLO.4870.A HLLO.4870.B HLLO.5760 HLLO.7392 HLLO.Black_Crypt HLLO.Cvirus_1.9 HLLO.Cvirus_2.0 HLLO.DisDev HLLO.Gov HLLO.Harakiri.A HLLO.Harakiri.B HLLO.Hepatitu HLLO.Honi HLLO.Joker.B HLLO.Mission HLLO.Novademo.A HLLO.Novademo.B HLLO.Number_1.E HLLO.Ondra HLLO.Orion HLLO.RUW HLLO.Shadowgard HLLO.Tyst HLLO.Virms HLLO.Wonder Hot Human_Greed IVP.Faulkner Itti.161 Itti.99 Itti.Malmsey Itti.Toxic Jasmine Jedina KI Knight Kode_4_Over Ku Leprosy.1306 Leprosy.321 Leprosy.350 Leprosy.370 Leprosy.5120 Leprosy.5370.A Leprosy.5370.B Leprosy.5600 Leprosy.573 Leprosy.579 Leprosy.591 Leprosy.664.A Leprosy.664.B Leprosy.666.B Leprosy.666.I Leprosy.666.K Leprosy.666.M Leprosy.666.N Leprosy.A Leprosy.Anarchy.469 Leprosy.AoD Leprosy.Busted.570 Leprosy.Busted.571 Leprosy.Busted.572 Leprosy.Clinton Leprosy.Crawler Leprosy.F Leprosy.Fratricide Leprosy.FVHS Leprosy.G Leprosy.H Leprosy.I Leprosy.Sandra Leprosy.Scribble Leprosy.Seneca.381 Leprosy.Seneca.392 Leprosy.Seneca.483 Leprosy.Seneca.493 Leprosy.Silver_Dollar Leprosy.Silver_Dollar.1547 Leprosy.Silver_Dollar.1644 Leprosy.Silver_Dollar.1874 Leprosy.Silver_Dollar.736 Leprosy.Silver_Dollar.8101 Leprosy.Skism.1818 Leprosy.Skism.1992.A Leprosy.Skism.1992.B Leprosy.Skism.47857 Leprosy.Skism.808.A Leprosy.Skism.808.B Leprosy.Skism.808.C Leprosy.Skism.808.D Leprosy.Skism.814 Leprosy.Skism.827 Leprosy.Skism.907 Leprosy.Surfer Leprosy.Tazmanian.1973 Leprosy.Tazmanian.2197 Leprosy.Tazmanian.2209 Leprosy.Tazmanian.2276 Leprosy.Viper Leprosy.Wake Leprosy.Xabaras Lockjaw.Flagyll.316 Lockjaw.Flagyll.318 Lockjaw.Flagyll.369 Lockjaw.Flagyll.371 Maaike.164.B Marked-X.354 Marked-X.355 Material Milan.AntiNazi Milan.BadGuy Milan.BillMe Milan.Demon.270 Milan.Demon.272 Milan.Exterminator.429 Milan.Exterminator.451 Milan.Naziskin.270 Milan.Naziskin.335 Milan.Naziskin.903 Milan.New_BadGuy Milan.Sabrina Milan.Verbatim Milan.Vivisex Milan.WWT.125.A Milan.WWT.125.B Milan.WWT.125.C Milan.WWT.67.A Milan.WWT.67.B Milan.WWT.67.C Morrison Mr_Twister MSK.272 MSK.284 Nanite Naught.712 Naught.865 Necro.A Necro.B Necropolis.A Necropolis.B Necropolis.C Nice.A Nice.B No_Party Number_1.A Number_1.AIDS.A Number_1.AIDS.B Number_1.C Number_1.D Number_1.fiis Number_1.Sman Oops Orchid.120 Over1644 Peace_SA PHB.4315 Rigor.373 Rigor.425 SHHS.585 SHHS.591 SHHS.600 SillyOR.101 SillyOR.102 SillyOR.107 SillyOR.109 SillyOR.112 SillyOR.60 SillyOR.66 SillyOR.68 SillyOR.69 SillyOR.74 SillyOR.76 SillyOR.77 SillyOR.88 SillyOR.94 SillyOR.97 SillyOR.98 SillyOR.99 Simple_Minded.123 Simple_Minded.128 Simple_Minded.207 Slugger Stranger Su Sum Syrian.241 Syrian.412 Terminator.918 Trivial.102 Trivial.146 Trivial.157 Trivial.177 Trivial.178 Trivial.22 Trivial.23 Trivial.24 Trivial.25.A Trivial.25.B Trivial.25.C Trivial.26.A Trivial.26.B Trivial.26.C Trivial.27.C Trivial.27.D Trivial.28.C Trivial.29.A Trivial.29.B Trivial.29.C Trivial.29.D Trivial.29.E Trivial.30.A Trivial.30.B Trivial.30.C Trivial.30.E Trivial.30.F Trivial.30.G Trivial.30.H Trivial.31.A Trivial.31.B Trivial.31.C Trivial.32.A Trivial.32.B Trivial.32.C Trivial.33.A Trivial.33.B Trivial.34 Trivial.342 Trivial.346 Trivial.35 Trivial.36.A Trivial.36.B Trivial.36.C Trivial.36.D Trivial.37 Trivial.38.A Trivial.38.B Trivial.39.A Trivial.39.B Trivial.39.C Trivial.40.A Trivial.40.B Trivial.40.C Trivial.40.D Trivial.40.E Trivial.40.F Trivial.40.G Trivial.42.A Trivial.42.B Trivial.42.D Trivial.42.E Trivial.42.F Trivial.42.G Trivial.42.H Trivial.42.H Trivial.43.A Trivial.43.B Trivial.43.C Trivial.43.D Trivial.44.A Trivial.44.B Trivial.44.C Trivial.44.D Trivial.44.E Trivial.45.A Trivial.45.B Trivial.45.C Trivial.45.D Trivial.45.E Trivial.45.F Trivial.46.A Trivial.46.B Trivial.50 Trivial.54 Trivial.66 Trivial.68 Trivial.81 Trivial.82 Trivial.85 Trivial.89 Trivial.90 Trivial.92 Trivial.97.A Trivial.97.B Trivial.Ansibomb Trivial.Banana.A Trivial.Banana.B Trivial.Banana.C Trivial.Banana.D Trivial.Banana.E Trivial.Banana.F Trivial.Banana.G Trivial.Banana.H Trivial.Banana.I Trivial.Banana.J Trivial.Banana.K Trivial.Banana.L Trivial.Explode Trivial.Hanger Trivial.Hastings Trivial.Infernal Trivial.LSD Trivial.NKOTB Trivial.Tom Trivial.Vootie.A Trivial.Vootie.B Trivial.Vsafe Trivial.Wolverine VCL.347 VCL.356 VCL.386 VCL.394 VCL.409 VCL.418 VCL.457 VCL.481 VCL.509 VCL.526 VCL.527 VCL.541 VCL.663 VCL.Butthole VCL.Cockroach VCL.Divide.546 VCL.Divide.554 VCL.Jam VCL.Lock_Up VCL.Mindless.423.A VCL.Mindless.423.B VCL.Mindless.423.C VCL.Mindless.423.D VCL.Mindless.429 VCL.Muu VCL.Necro.EXE.A VCL.Necro.EXE.B VCL.PopooLar VCL.Richard's_Trojan VCL.Viral_Messiah VCL.Viral_Messiah.703 VCL.VoCo Vengence.A Vengence.B Vengence.C Vengence.D Vengence.E.610 Vengence.E.639 Vengence.F Viruz Wonder Yukon Zero-to-O ZigZag.127 ZigZag.232 _127 _81 ------------------------------ Date: Sat, 28 Jan 95 06:24:18 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: what's wrong? (PC) rgmckay@acs.ucalgary.ca (Ryan Garth McKay) writes: >First question I have for the experts is as follows. >Is it possible for a virus to hide in a gif/jpeg? No. >Is it possible for a virus to be split between two of the above >and become active when the two files are downloaded? No. >My brother found a virus before it was too late. It was located >in two seperate gif/jpeg files. Sorry. That is not possible. Real GIF/JPEG files are not executable, and simply cannot contain viruses. Of course somebody could tale an infected EXE file, rename it to .GIF, but you would have to rename it back and run it for the virus to spread. - -frisk ------------------------------ Date: Sat, 28 Jan 95 18:56:42 -0500 From: DR TE$TH & THE ELECTRIC MAYHEM Subject: Can someone tell me about LITTLE_R (PC)? We've got a bit of a problem here in our labs with a virus called [little_r]. Does anyone out there have any information on it? How do I remove it? The biggest question on my mind is how does it travel? I had an infected computer, and went through and scanned a couple disks that had been in contact with it. They were clean. I even TRIED to infect a disk with every method of looking at a disk that I could think of; dir, scan, chkdsk, scandisk, etc. Can anyone give me any info? rOn - -- The usual disclaimers apply anywhere you can find a sticky spot... Attention LISP programmers: Due to the holiday next week, there will be no garbage collection on Monday. Ash doesn't compile code he doesn't understand. ME: http://sleepy.usu.edu/~ronb/ I manage the USU Fencing Club home page: http://www.usu.edu/~fencing/index.html ------------------------------ Date: Sat, 28 Jan 95 19:33:11 -0500 From: aturner@netcom.com (Aaron Turner) Subject: F-Prot TSR for Windows? (PC) Hey all, I've been checking out some AV software (TBAV 6.13 & F-Prot 2.16). I noticed that TBAV has a program to run under Windows for it's DOS based TSR. F-Prot doesn't seem to have this. Does this mean that F-Prot's VIRSTOP can't detect virii when Windows is running? I would of used TBAV, but it and 32bit File Access don't get along. Anyone know when we should expect a fix? Thanks for the clarification. Aaron Turner * DIE CHARGERS! The new AFC lambs to the slaughter! * aka: aturner@netcom.com * --Hanlon's Razor: Never attribute to malice that * soph.@Cal.St.Univ.Hayward * which is adequately explained by stupidity. * finger for more info & PGP ***** GO 'NINERS!--The new NFC Champions! ***** ------------------------------ Date: Sat, 28 Jan 95 22:07:12 -0500 From: Michael Powers Subject: Re: ANTICMOS B ... Need help removing... (PC) Robert Trent Burkey writes: >Macafee 2.1.3 and 2.1.4beta detected the ANTICMOS B virus on 2 of our >machines. It was said to be located in the Master Boot Record. Neither >version can clean this virus... Additionally, Norton antivirus (1992-93) >failed to detect this virus (runs in background as intercept). If all us fails to get rid of it and you are running MS DOS use FDISK /M . This rebuilds the Master Boot Record. There is a document about it in the Microsoft Knowledge Base. I believe you can reach their site at ftp.microsoft.com by ftp. There is also A WWW page which I believe is htpl.microsoft.com or something similar. It is also available through compuserve and probably at least America On Line. The Knowledge base also has some comments about getting rid of the same in the unused MBR of a doubles space drive. It does suggest that you back up the disk before running FDISK this way. ------------------------------ Date: Sat, 28 Jan 95 22:34:39 -0500 From: mitch@pipeline.com (Mitch Davis) Subject: Integrity Master (PC) I just picked up a copy of intergrity master by ASG or STiller Research by FTP. This program appears to get into some very intimate relations with one's hard-disk and I'm concerned that if it has any bugs, these might lead to troubles on my disk. Has anyone had any experience with this program. Any comments would be very much appreciated. Please email replies to mitch@pipleline.com Thanks, Mitch Davis. ------------------------------ Date: Sun, 29 Jan 95 00:04:31 -0500 From: rdauman@ix.netcom.com (Robert Dauman) Subject: Dr. Solomon's virus tool kit (PC) I have heard a lot about Dr. Solomon's virus tool kit (I believe it was Dr. Solomon, I know it was Dr. something), and I would like to know if it is available for download on any FTP servers. If anyone can provide me with any info about how I can acquire this product I would be most appreciative. Thank you for your help, --Rob - -- ***************************************************** * Robert Dauman * * rdauman@ix.netcom.com * ***************************************************** ------------------------------ Date: Sun, 29 Jan 95 00:06:38 -0500 From: an448@freenet.carleton.ca (Yves Bellefeuille) Subject: Recommendations for behaviour blocker? (PC) I'd like to get recommendations for a behaviour blocker (generic monitor) for a PC. It can be commercial or non-commercial, or even a discontinued product. If responses warrant, I'll post a summary. Thanks in advance. - -- Yves Bellefeuille, Ottawa, Canada an448@freenet.carleton.ca (finger here for PGP key) ua294@fim.uni-erlangen.de ------------------------------ Date: Sun, 29 Jan 95 12:32:09 -0500 From: donmah@freenet.edmonton.ab.ca () Subject: What is the best virus checker (PC) I plan to start a business selling software and would like to know which product has the best virus checker ? I am interested to know which company keeps a continual update for it's customers as I find this service essential. My candiates are Morcosoft, Central Point and Norton Utilities ? ------------------------------ Date: Sun, 29 Jan 95 18:07:07 -0500 From: Glenn Firester Subject: Re: Answers about NYB (with interesting "payload") (PC) NAV 3.05 will kill NYB, so will F-PROT ------------------------------ Date: Mon, 30 Jan 95 09:53:30 -0500 From: leperdi@monviso.alpcom.it (Audric LEPERDI) Subject: Re: Characters disappear on printouts !! (PC) I have the same problem! I'm running DOS 6.22 (italian version) Windows for workgroup 3.11 (italian version) I have a HP560c , AMI bios.. I thought I had the .ini srew-up some-how so I re-installed Windows and Office Pro, still... I wonder if someone else has the same problem. - -- Audric LD Leperdi a.leperdi@pmn.it ------------------------------ Date: Mon, 30 Jan 95 09:53:43 -0500 From: ratrain@technet.sg (ratrain@technet.sg) Subject: Virus SAMPO?! (PC) There are a lot of PCs here having "sampo" virus. Anybody has idea about what is the worst result of this virus? How can I clean it if possible. Thanks in advance. ratrain@technet.sg ------------------------------ Date: Mon, 30 Jan 95 09:53:37 -0500 From: noel@giskard.rdt.monash.edu.au (Noel Rode ) Subject: JUNKIE.BOOT virus in game (PC) I spent some time recently getting rid of the JUNKIE.BOOT virus off my cousins PC. I think if I had V214 of McAfee scan at the time it would have helped a lot. The only problem I had with scan was that I had to reboot the machine each time scan found and tried to remove the JUNKIE.BOOT virus from a diskette. Scan would find and remove the first detected virus and any following viruses found would be reported as "JUNKIE.BOOT+emr" and could not remove the virus. The virus would also be loaded into memory when first detected and hence needed to be rebooted. I located the source where I got the virus from. It came from a game called "Quarter Pole" by Microleague. Each of the four (write protected) disks were infected. I'm sure it must have been said many times before but please be sure to scan ANY new disks purchased before making use of them. Noel Rode - -- / Noel J. Rode (Ph.D Candidate) e-mail: noel@rdt.monash.edu.au \ | Dept. Robotics and Digital Technology Phone : +61 3 905 3575 | | Monash University, Clayton Campus, Fax : +61 3 905 3574 | \ Melbourne, Victoria, Australia 3168 ...Hi There. / ------------------------------ Date: Mon, 30 Jan 95 09:53:47 -0500 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Subject: form and dbltrbl (PC) From: "Meswani, Prashant [MIS]" Leeds Metropolitan University have been hit by the Form.a virus. This problem is easily resolved on non double-spaced machines, but not on machines with this software. a> you're running dblspace, big mistake b> can't you do your fix on drive H: or whatever dbldeath swaps C: with? Or boot from a floppy and do it in an untainted environment? _H* ------------------------------ Date: Mon, 30 Jan 95 11:48:35 -0500 From: swidlake@rl.ac.uk (S Widlake) Subject: Re: AntiEXE virus (PC) bhinsee@halcyon.com (Bill Hinsee) writes: >My office has had numerous run-ins with a virus called AntiEXE (the >name given by mcafee's virusscan). Does anybody know what exactly this >virus does? All I've seen it do is slow the pc's down considerably. Ah, a question about the AntiEXE virus, just what I was waiting for... I'm a bit surprised that McAfee's SCAN recognises it as "AntiEXE" - you must be using version 2.x.x - all versions 1xx identify it as "NewBug [genp] or [genb]" ie. they didn't identify it at all. AntiEXE, as recognised Fridrik Skulason's F-Prot package and also Dr. Solomon's Anti-Virus ToolKit FINDVIRU program, is a pretty trivial Master Boot Record / Boot Sector virus - it just spreads (copies itself) it doesn't DO much anything else. This is the AntiEXE info. taken from F-Prot Version 2.16... There are a few tiny errors that I'll point out along the way. Name: AntiExe Alias: D3, NewBug, CMOS4 Origin: Russia Type: Resident Boot MBR Solomon's used to call it D3 I've forgotten why. AntiExe is a boot sector virus, infecting floppy boot records and hard disk master boot records. The virus is not encrypted. The virus will only infect hard drives when an attempt to boot from an infected diskette is made. Once the virus has infected the hard drive, all non-protected floppies used in the machine will be infected. ie. Not too easy to catch but spreads itself very effectively AntiExe is one of the few viruses which overwrite the MBR without saving a copy of it somewhere else on the hard disk. The virus is based on a normal DOS MBR code, and contains all the functionality of it. Wrong - You'll find your good unencrypted MBR in Sector 13 (That's Cylinder 0 - Head 0 - Sector 13) If the virus founds that more than one partition has the active partition mark set, the virus will try display a message and then enter an infinite loop. The code to display the message does not work as intended, and displays garbage. The text is encrypted, and cannot be decrypted because of the bug. If the virus FINDS that more than one partition has the active partition mark set... then there's something really wrong with the partition table and the drive will be unbootable - You see you "can't have" more than ONE "active" partition. If a system is booted from an infected diskette, the computer will automatically boot up from the hard disk instead of displaying the usual 'Non-system disk' error. Wrong - 100% wrong. Exactly the opposite will occur - the usual "Non-system disk" error will be displayed - you get the "usual" "Bzzzt. You're trying to boot a data disk, try again" response. AntiExe is a stealth virus; when active it will present the original MBR and diskette boot sectors when inspected. It also blocks any writes to the MBR and diskette boot sectors by converting the write operation to a 'reset disk' operation. I haven't checked this... it might even be true... One special thing about the AntiExe virus is that it redirects the BIOS disk interrupt 13h to unused interrupt D3h - this way the virus can bypass some behaviour blocker programs. Ah, that's why - D3 - I remember now. If Ctrl-Break is pressed while the virus is doing disk-access, the virus enters it's destructive phase. At this time it overwrites the first 8 sectors of every head starting from sector 4, head 0. Nope, never once observed nor ever even heard of anything like this. AntiEXE targets an unknown EXE file, sized 200256 bytes. Whenever this specific EXE file is accessed, the virus corrupts it's contents. This may well be true. Why else would it be called "AntiEXE". [Analysis by Mikko Hypponen/Data Fellows Ltd & Jeremy Gumbley/Symbolic] Now you've read this you probably think I'm on some sort of "crusade" against F-Prot. Well let me state that I'm NOT - I think F-Prot is one of the very best anti-virus packages out there (far, far better than junk like MSAV & CPAV) and would recommend it to everyone with a PC - I AM on a "crusade" against this damned AntiEXE virus. One of "our dear users" first caught this virus, oh, about 10 months ago and it keeps on comming back! Can I get them to check ALL of their floppies ??? Of course not - they're just not bothered... Anyway, I haven't seen this virus so far this year... FYI - Data Fellows & Frisk "know" about this little error which first came about in version 2.15 (2.14 was OKay) but is still wrong in the new (read current) version 2.16 - I'd posted to a different group ;-) HEY FRISK - fix the ANTIEXE info. screen - someone has "broken" it. Once again, I'll say that Frisk's F-Prot package is one of the very best, it's just that passing around bad virus info. is not good ;-( What do I use - Dr. Solomon's Anti-Virus ToolKit - it's the Dog's B... S. - - -- sig II Still Under Construction ... ------------------------------ Date: Mon, 30 Jan 95 15:30:34 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Novell Lab protection.... (PC) Garrett Mead 25 Jan 1995 13:10:41 - Wrote: >I am interested in providing the best overall virus protection for my >Netware 3.11 100 user Novell network. Last semester I had a really bad >run-in with viruses (and for those of you running campus labs, finals >week is bad enough WITHOUT the added problems of viruses :) ) Yes, Networks have enough problems to add some more to the list. I really know You need to provide the best "overall" protection to Your network and system, but exist a little problem in determinate wich product is the "overall" (the best, the top, etc). Ratio detection of Anti-Virus products varies depending on how much the product is update by the company that research and produce it. Accuracy (the capability of the product to identify Exactly the virus founded) is other very important item to consider. What happen if You remove a virus in a NON PROPER way ???. As You see the BEST overall technique to avoid virus is to have: 1) A combination of at least two products. (Maybe Shields, Scanners, Integrity Checkers, Behaviour Blockers) 2) A good policy of security (A serious one, that consider disasters and the way to restore critical data again in a short period of time. That includes Backups, Inventory of Diskettes, Buy ORIGINALS products, etc ) > I would be interested in hearing from those of you who are running > networks about your system of protection. I would like to hear both about > share-ware setups and commercial, as I am prepaired to spend the money on > commercial if neccessary. Well, here (in Argentina) people who have Networks buy different products. I have a client that runs Integrity Checking (three days a week) in a Novell 3.12 and don't have problems in two Years. Of course this client have good policies of disaster too!!. Other people runs Mc Afee Scan, others F-prot, Tbav, etc. Opinions are divided here ... I clarify to You that the important part of Shareware is Registration, because You have a lot of benefits on it. > > I am particularly interested in a process that a Machintosh program (I > think it is Gatekeeper or something thereof) uses. I believe that this > program does a scan anytime a new floppy is placed in a drive. Is there > an IBM equivalent? Norton Antivirus 2.0 do that. I'm not quite shure if version 3.0 do it. > I would like to hear from those of you protecting your labs in the > following areas. > > 1) how do you protect your individual workstations? Which products do you > recommend. Which should I stay away from? Well, maybe some kind of shield. You could use the products I recommend on bottom. > 2) If you run any other protection other than what is inherent in Novell, > what products do you use? Which should I not use? You have some products for Novell. - - Inoculan. - - Netshield. - - Intel Lan Protect. > If you can, please include any information you have on the products that > you recommend (ie ftp sides or addresses and telephone numbers) I strongly recommend this products and they run over Networks: * Integrity Master (Ver 2.31 c -> Stiller Research) product of USA 904-575-7884 fax 904-574-0920 voice * F-prot (Ver 2.16 -> Frisk) product of Iceland (with distribution in your country too) +354-5-617274 fax +354-5-617273 voice Kind Regards Ruben Arias - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 30 Jan 95 16:53:25 -0500 From: cosmo@iglou.iglou.com (Jim Hetzer) Subject: Filer Virus (PC) Anyone have any info on how to get rid of Filer Virus? Cosmo - -- The Denton Affair Cincinnati's Homeless Rocky Horror Picture Show Acting Media Coordinator / Cast Cincinnati Fan Club Representative R-174 - ------------------------------------------------------------------------------ ------------------------------ Date: Mon, 30 Jan 95 17:30:10 -0500 From: lrxi00@icts01.Kodak.COM (James Nonnemacher) Subject: Mr. Ed virus?? (PC) Does anyone know if there's a Mr. Ed virus? Symptoms are corrupted word processor files (also others possible) where first line reads, "Mr. Ed," with much jibberish in the remainder of the document. Any info would be appreaciated. ------------------------------ Date: Mon, 30 Jan 95 21:06:58 -0500 From: E_CAJIGAS@UPR1.UPR.CLU.EDU Subject: Newbie: Genp virus infecting our computers please help!!! (PC) Hi... PLease excuse me if this isuue was already discussed. I'm a new member in this list I send a message with INDEX VIRUS-L to the listserve but the list comes empty. I also read the FAQ but I can't found help with my problem. My problem is that computers in the laboratories are infected with the GENP virus. McAfee vshields detect the virus and lock the computers (the /LOCK flag is used). When I run McAfee VIRUS SCAN it said that GENP virus was detected on the boot sector but no virus remover is available a it can not remove the virus Can somebody tell what can I do to clean the GENP virus?. Please help me!!! P.D. I try different versions of SCAN (111, 117, 213, 214) downloaded from ftp.mcafee.com Edilberto Cajigas e_cajigas@upr1.upr.clu.edu ------------------------------ Date: Tue, 31 Jan 95 09:04:18 -0500 From: Gilad Benjamini Subject: Carmel anti-virus for Windows Beta (PC) There is a rumour that it is on the net. Where. Please answer by e-mail, since I don't read this group very often. Thanks. ------------------------------ Date: Tue, 31 Jan 95 15:38:44 -0500 From: rbyrne@cs.mun.ca (Robert John Byrne) Subject: I just got junked - I think (PC) Ok., I downloaded the demo for Dark Forces a little while ago from a legitimate site. A local software store wanted a copy of the demo, for advertising purposes to get more pre-orders. that's cool. Anyway, a friend of mine brought the disks into the store and all was well. Two days ago, he returned for the disks and the guy at the store said the disk was contaminated with the "junkie" virus. Well, that means the virus is on my pc, and has been for over a month. I just picked up some of the latest virus scans, cleaners, and protectors but i have a feeling it is too late. I might have to format both hard drives if enough files are damaged. Anyway, I forget the site name, but i have it written somewhere. I'll let everyone know where it is asap. ------------------------------ Date: Tue, 31 Jan 95 16:29:48 -0500 From: knielson@joule.elee.calpoly.edu (Kristoffer Carl Nielson) Subject: dir | more shows 2 extra files (PC) Anyone know of a virus that shows itself when dir is piped through more? When I do this, two extra files show up -- they are 8 seemingly random letters with no extension. Note: this only occurs when I bypass my autoexec. (I have read the FAQ and found nothing that looks similar) I know of one other person that had this virus. He had to wipe his drive to get rid of it. Thanks for any help. Casey. ------------------------------ Date: Tue, 31 Jan 95 19:35:31 -0500 From: dylan@glue.umd.edu (Dylan J. Greene) Subject: 32-bit antivirus for Win95 (PC) The current Win95 beta warns in the readme not to use Norton Antivirus. The readme also says that virus protection programs can detect, but not clean, viruses in 95 because virus protection programs use low level writes that will damage 95's long file names. What should Win95 users do until 32-bit antivirus programs are available? Will Microsoft provide one (like in MS DOS 6.x)? Thanks for any insight or help, and please refrain from Win95/96 comments, as they are not appropriate in comp.virus. ------------------------------ Date: Wed, 01 Feb 95 02:38:33 -0500 From: oliver@tid.es (Nuria Oliver Ramirez) Subject: Grover PC virus (PC) Keywords: My brother has a PC virus called "Grover" in his PC. He has an antivirus program called "Artemis", but I do not know which version it is. I would like to know anything else about this virus, as well as a site where I can fetch via e-mail a good antivirus program (the last release of SCAN or some other antivirus) Thank you very much!!! ################################################## Nuria Oliver Ramirez C/Padre Claret, 16, Esc.B, 3 A 28002 Madrid Tfn. +34.1.519.52.98 Tfn. JOB: +34.1.337.99.07 Fax JOB: +34.1.337.42.22 oliver@tidos.tid.es (or oliver@tid.es) ################################################## ------------------------------ Date: Tue, 31 Jan 95 23:30:59 From: Orlando@medina.satlink.net (Orlando Medina) Subject: Predator II virus (PC) Hi, I have 486 Dell computer that is infected with Predator II virus. I know how to remove it, but I'm looking for more information about it. Could someone help me? Thanks in advance. - --- Orlando Medina E-mail: orlando@medina.satlink.net Buenos Aires - ARGENTINA ------------------------------ Date: Wed, 01 Feb 95 09:52:33 -0500 From: vm110@satyam.jvnc.net (Dr.P.Vyasa_Murthy) Subject: help needed on khobar virus (PC) We are having a problem with Khobar virus. Known characteristics are: Eternal is also known as Fairzh, Khobar Memory Resident and contains encrypted messages like: "This is an illegal copy of Keypress Virus Remover" "System Halted" "Eternal Fair" Affects .com and .exe files according to NAV version 3.00. NAV detects but does not clean. McKafee version 2.1.6 reports khobar as such in not only com exe files but also in .dll .vlm .386 .dat files. CPAV does not detect or clean this virus. Nashot Antivirus program detects and cleans; but the files get affected again and again via Network (novell netware) and as the number of files affected is around 200 deleting all daily is problematic. Although the affected files have not been used at all, all files in any direcvtory which has been accessed seems to be afftected. CAN SOMEBODY help? Shall be grateful for a copy of your posting to the list addressed separatelt to me at: pvm@satyam.jvnc.net Because of some storage problems I am unable to receive large mailings from several lists. THANKS From: Dr.P.Vyasamoorthy, Satyam Computer Services Ltd., Mayfair Center, Sardar Patel Road, Secunderabad. Pin 500003 INDIA Ph: +91-40-815854 Fax: +91-40-840058 Email: vm110@satyam.jvnc.net ---------------------------------------------------------------------- ------------------------------ Date: Wed, 01 Feb 95 15:47:01 -0500 From: Daniel F Schmidt Subject: Re: MONKEY Virus? (PC) >Has anyone heard of a virus named MONKEY? Yep. I almost had it... >If so, email me some info if there is any. OK; the virus you refer to is the Monkey Boot virus; it is a very annoying virus to say the least, and when I tried to remove it with McAfee's SCAN 213 it didn't work. However, there ARE special programs written to destroy this virus, one of which, KillMonk, I have been using for a while with great success. Anyway, this virus bypasses VSAFE.COM from PC-Tools v8.0, and isn't even detected by CPAV or MSAV, and while McAfee detected it, the version I was using at the time, at least on the computers I tried it on, couldn't remove it. It gets into floppy disks quite nicely, be they in A: or B:, and it's caused one of my friend's computers to crash a few times, after which he had to re-install everything. Anyway, I suggest you FTP (If you can) to oak.oakland.edu, go into the /simtel/msdos/virus directory, and get the file called killmnk3.zip. This program will remove the virus from floppies AND HDs, PROVIDED that you can do a clean reboot to make sure the virus deosn't load in memory. If it DOES load in memory, the program will not run and will tell you to reboot. If you have stacker or something like that, make sure to make a CLEAN boot disk with all the drivers you'll need to still run your compression (As I saw a message about someone who had Monkey Boot on a Stacked HD), and if you can't do that you can TRY doing a clean boot from C: (In DOS 6.0 and above, just hit F5 when it says, "Starting MS-DOS..."). I'm not sure if FDISK /MBR will remove this virus or not, as I haven't tried to remove it that way, but if you DO decide to use FDISK /MBR, be careful, esp. if your HD is compressed. I'm not sure what the effects are... Also, reboot IMMEDIATELY after running FDISK /MBR. Anyway, I hope this helps you to get rid of it... Monkey Boot is HIGHLY annoying! >A friend of mine found it on his network at work and asked me if i knew >about it, i never heard about it.. Fun! I'm not sure where it originated from, but it seems to spread rather quickly... >So any info is appreciated .. Thanks No problem! BTW, if you can't FTP it, and you have the capability to UUDecode stuff, I can e-mail it to you. Just let me know... I)aniel Schmidt AKA [-(--)-] ------------------------------ Date: Wed, 01 Feb 95 16:55:31 -0500 From: emartini@netcom.com (Ed Martini) Subject: Virus or bug? (PC) Sometimes my system gets stuck in a mode where the prompt and a commandline get printed to the printer. Not the whole screen, but just the commandline. I scanned with McAfee, and F-PROT, which turned up nothing. Once I found a diskette around that was infected with the FORM virus, but that has never shown up on my computer. No one else here has the same problem as I do. I reformatted my disk and reinstalled DOS, which worked for a while, but it has since returned. It's really annoying since the printer is on the net and remote, so I don't usually notice until someone prints something and there's no paper left because I've used it all up a line at a time. As a workaround I either don't mount the remote printer, or I run Linux. 8^) Any help will be appreciated. Ed Martini Senior Software Engineer Digital Video Systems Sunnyvale, CA ------------------------------ Date: Wed, 01 Feb 95 16:58:44 -0500 From: Robert Charles Mahar Subject: Re: About memory scanning (PC) Vesselin Bontchev writes: >So, as we can see, the virus cannot "hide" (because the scanner can >look anywhere), and it cannot intercept the memory access operation >and modify its result - therefore, no "memory stealth". About the only Hi again - actually there are plenty of DOS machines using the basics necessary for a "memory stealth" all you need is a '386 which has an integral MMU. QEMM386, for example, uses this to creatively rearrange things. This is why a wayward DOS program can generate a GPF exception on a machine that *you* consider "just a DOS machine." It might be easier that you would think to "hide" large pieces of RAM and then bring them back into the address space as needed... - -- Bob Mahar ------------------------------ Date: Wed, 01 Feb 95 16:58:49 -0500 From: Robert Charles Mahar Subject: Re: About memory scanning (PC) Fridrik Skulason writes: >The problem ? Well, assume you are scanning a network from an infected >workstation. Then you cannot use INT 13 .... and if the scanner does not >notice the virus in memory, in may infect the entire server while scanning. Only if the login / account used by the workstation has the rights to modify files. I use on my Novell servers an "impotent supervisor" login that has read/file-scan rights to all volumes. There is no way any workstation bound virus can use virus scanning of the server to damage files. Remember, on a server the workstation can only do what it has rights to do: more a matter of proper network admin. rather than virus protection. I frequently use a couple scanning programs to check my servers. In addition I sweep the servers looking for files that are potentially infectable: binaries with excessive access rights. In addition to these measures I use a PC with its own copies of the novell binaries & without a floppy drive. The machine never gets exposed. This machine is used when I *do* have to login as supervisor. I have a bootable floppy I use in the field if I am forced to use another PC - i.e. a "safe sex" approach to network management - -- Bob Mahar rcmahar@delphi.com ------------------------------ Date: Wed, 01 Feb 95 21:40:58 -0500 From: bc7228302@omega.ntu.ac.sg Subject: Help on [GenP] virus needed urgently!!! (PC) Hi. I'm new in this group and would hope that someone here could help me out. Recently, my system was infected with a [GenP] (generic partition virus) identified by a Scanv117 by Mcaffee. I manage to run Cleanv117 to remove it from my memory. (The virus, whatever its actual name was, took up about 2k of the 640kb memory. I know since I ran mem command before and after I clean it.) My problems are: Is there any way I can be certain that Cleanv117 has really remove/destroy the virus from my system harddisk? I couldn't afford to reformat the harddisk since I didn't make a backup.(Don't worry I've learned my lesson and has actually purchase another harddisk to do the backup.) Secondly, how can I find out if the virus has actually did any damage to my system? Currently I'm doing the brute force method by running all my programs and data files. Is there a more efficient method to check? (The only info I can provide is that the virus was on my system for 24 hours, but I only turn on the system for about ten minutes whereby on running the virus scanner I spotted it and immediately ran Cleanv117 i.e. I got the virus say on Wednesday morning, turned off the system, turned it back on on Thursday morning and found it using Scanv117.) Thanks in advance for any info provided. Please email replies at BC7228302@ntuvax.ntu.ac.sg Wee Eu Gene BC7228302@ntuvax.ntu.ac.sg Student of Nanyang Technological University, Singapore ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 9] ****************************************