VIRUS-L Digest Friday, 10 Mar 1995 Volume 8 : Issue 23 Today's Topics: Virus suite? [Q] How to load McAfee virus S/W and other questions Statistics Re: Does Unix Virus Protection Exist? (UNIX) Re: Does Unix Virus Protection Exist? (UNIX) Any cure for DH2 Virus (PC) Re: New Virus? (PC) Coffee Shop (PC) Re: F-PROT Gatekeeper Antivirus - free test phase in progress (PC) Re: STELBOO virus (PC) procedures to follow (PC) Taipan (PC) Microsoft and Form (PC) Strange messages in BS : here is the response ... (PC) DAME (PC) FORM (PC) My comments about Invirci (PC) Re: In Vircible - A Recent Review - Where to obtain? (PC) PMBS - info? fix? (PC) Re: MONKEY-2 help! (PC) Re: Virus - Espejo (PC) Re: Virus on Night Owl 15 CD (PC) Help to kill "Parity Boot" Virus!!! (PC) Re: Looking for info on Vsign/Cansu virus (PC) Question about F-Prot (PC) Virus scan software for Windows NT 3.5 Server (PC) Triple Virus Protection all in one. (PC) Re: What virus is this? (PC) Re: Fighting The Stealth C (PC) newest mcafee scanner (PC) Need help removing WXYC boot partition virus (PC) HELP !!! Michelangelo Virus !!!!! Need Info about viruses? Get VSUM... (PC) Vinchuca 1.0 (PC) Ripper Virus : Please Help (PC) Re: F-PROT, VIRSTOP & Windows? (PC) Re: help I have a virus.. I think. (PC) Whisper Virus Info (PC) SToned, RM (PC) Re: Junkie (Junkey, Junky) Virus (PC) Re: Wanted: anti-virus recommendation (PC) Re: NYB Virus (PC) Diaria virus (PC) F-PROT 2.16D is out (PC) Re: Stoned.Empire.Monkey.B vs. F-Prot\Gatekeeper (PC) Anti-CMOS.B plague?!? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 03 Mar 95 12:48:35 -0500 From: Mesmer@ix.netcom.com (John Harrington) Subject: Virus suite? I am looking for a file or a group of files that will _emulate_ viruses. Some background: I teach a course in computers -- building, upgrading, repairing - -- and include viruses and scanning in the course. I have a small collection of viruses that I can turn loose in the classroom and feel safe that they will not escape to the rest of the school; our classroom computers get reformatted frequenly and noone in his right mind will copy from them. Still, I worry that one of the syudents will take home a copy of Possessed or Stoned or GenB inadvertantly. Does anyoone know of the file or files that I am looking for? - -- Mesmer John Harrington, C.Ht. 1@2732 WWIVNet Brandon, FL ------------------------------ Date: Sun, 05 Mar 95 12:06:21 -0500 From: forte2@ix.netcom.com (Derek Fort) Subject: [Q] How to load McAfee virus S/W and other questions I am looking for 'ftp' viruses detectors. I was referred to [ftp://oak.oakland.edu/pub/msdos/viris/scanv###.zip] to get FTP McAfee Associates' scan program. I was able to get as far as [/virus] into the file, but I could not find the [scanv###.zip] file. My questions are: 1) Where can (or how can) I get good virus scan software such as McAfee? 2) Where do I get the [*.zip] software to unzip it? 3) Is it true that one is relatively safe if one only downloads text and binary graphics files, but not binary programs? 4) My PC Tools software shows no viruses detected, but does show about 5 programs checksums changes. Is this common? - -- Thanks, Derek forte2@ix.netcom.com ------------------------------ Date: Mon, 06 Mar 95 04:19:38 -0500 From: "M.A.Jordan" Subject: Statistics Can anyone provide me with statistics (with sources) for: The number of known viruses in existence pref for the last five years The value of the worldwide (though US or UK would suffice) anti-virus software industry Cheers ------------------------------ Date: Sat, 04 Mar 95 22:50:19 -0500 From: cj@mcs.com (Chris Johnston) Subject: Re: Does Unix Virus Protection Exist? (UNIX) Shahab R Khan wrote: > I have gotten into a heated discussion with a friend about whether > there are any Unix viruses out there. He believes there are. I > don't think so. I remember a paper Tom Duff presented at a Usenix Conference (San Diego), he had written a Vax/Unix executable virus. He also had a couple of Bourne Shell viruses, one of which was around five lines long. He even managed to infect a "high security" version of Unix. The senior management at Bell Labs asked him to give up this line of research. Everything is possible... best regards, chris ------------------------------ Date: Mon, 06 Mar 95 11:11:53 -0500 From: daniel.zepeda@waii.com (Dan Zepeda) Subject: Re: Does Unix Virus Protection Exist? (UNIX) I guess it depends on your definition of "virus". If you think of a "virus" as some executable code that can replicate itself and possibly cause damage to filesystems, in-memory data etc, then most definitely there are Unix viruses. If you think of Viruses as some executable code that attaches itself to boot sectors of disks, other programs or data files, then no there are no Unix viruses. I think that your friend is more correct in saying that there are Unix viruses. To me, a virus is a program that can replicate itself, and spread itself across a bunch of computers. There have been several popular programs in Unix history that have done just that (Look up Robert Morris). The difference in between the operating system lies in *how* the virus "infects" the computer. With DOS viruses, it is much easier, they can infect a computer in numerous ways, through program or data files, through the boot sector in disks, etc. Once executing, the virus can do anything it wants to with your computer. You can't do this in Unix, because all of the "important" functions are executed in "kernel mode", which is not available to a normal user. Attacks on Unix systems would involve some program gaining root access privileges to the machine, and then exploiting them from there. I think that this is why you won't find many virus protection programs for Unix. With DOS, the virus program all have some identifiable traits that a virus scanner can pick up on, such as the code that allows it to attach itself to other programs or boot sectors, the code that allows it to execute as a TSR etc. None of these functions is needed for a Unix "virus". BTW, what do you think hackers that want to break into other systems write anyway? And do you think that viruses on DOS machines are not executed? skhan@osf1.gmu.edu (Shahab R Khan) writes: |> I have gotten into a heated discussion with a friend about whether there |> are any Unix viruses out there. He believes there are. I don't think |> so. I use SCO unix at work and grew up on Ultrix in school, and I never |> heard of or came accross any Unix viruses, as opposed to DOS viruses |> which infect files and memory. I am telling him that threats to Unix |> are of a different kind, those posed from hackers trying to break in, |> and not files that corrupt memory and mess up other files. Though come |> to think of it, I could write something that would do _some_ damage if |> executed, but only if executed. How can you have memory resident |> viruses in unix unless they are booted up with the system? Also, I |> have _never_ heard of any Unix virus protection software packages, eve |> shareware. Can anyone give us an idea which one of us is out of our |> minds? I'd really appreciate the help. |> In case you feel like engaging both of us in our so far stimulating |> disscussion, you can cc: him too, at azaidi@cne.gmu.edu. |> Thanks in Advance! - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Paul Zepeda Western Geophysical Applied Technology Software - Testing e-mail: Voice: (713) 964-6338 Fax: (713) 964-6372 V-mail: (713) 963-2750 x6338 ------------------------------ Date: Fri, 03 Mar 95 12:07:24 -0500 From: kmkwan@temasek.teleview.com.sg (Stephen Kwan) Subject: Any cure for DH2 Virus (PC) A couple of my computers in my office got infected with this DH2 Virus and almost all my diskette got infected too.... Does anyone got the cleaner for this creature ??? I've tried McAfee's Scan 2.15 which have no remover for this virus at the moment.... but can detect it. ------------------------------ Date: Fri, 03 Mar 95 13:34:21 -0500 From: Otto Stolz Subject: Re: New Virus? (PC) On Sat, 25 Feb 95 15:48:42 -0500 you said: > F-PROT is detecting nothing. > Microsoft Antivirus is detecting nothing. > McAffee's SCAN is detecting nothing. Apparently you have not got a long-known virus. Try the Heuristic mode of F-PROT to look for virus-like code. > I got a message that said 'The file MAINMENU.EXE has been > infected, you may have a virus. Most probably, the program you are using does a self-check, and has found that it has been altered. Could be a virus symptom. > I bring up MSAV and run it to see what that told me. F-PROT will detect more viruses than MSAV, and identify them better. > It seems that there were two or three 'executable' files > that had increased in size by about a kilobyte each. > But the size in which they increase seems to be different every time. > It doesn't seem to infect already infected files. These are typical virus symptoms. Could be a new file virus. Typically, file size increase differs by up to 16 bytes, to make the file size (before infection) a multiple of 16. Send a specimen of the alleged virus (i.e. a file that has grown in size plus a copy of the original file) to one or two anti-virus vendors. The file NEW_VIR.DOC from the F-PROT package tells you how to do this; probably, other anti-virus packages give similar advice in their documentation. > It only seems to be infecting .exe files called from other programs. > [...] > It does not infect 'Telix' which I run directly from the dos prompt Every program (except the ROM-BIOS, during boot-up) is run from another program. The command prompt comes from the COMMAND.COM program that will interpret the next line to be entered, and invoke the appropriate pro- gram via normal DOS services. I cannot guess the reason why Telix was not infected. Some viruses are indeed picky about the programs they infect; and a new virus may adhere to rules still to be discovered. > The only thing that I can trace the virus to, is a UUDECODE program > that I got off our schools 'vax' computer. By applying DEBUG (sub-commands U and D), you may be able to extract a characteristic sequence of instructions found in all infected files, but not normally in other programs. If so, you can use your current F-PROT version to locate, and rename or delete, all infected files: in the Viruses submenu, add the search string you have decided on, then, in the Targets item of the Scan submenu, set User-Defined Strings to Yes. If you are not able to device a suitable search string, you will have to wait for a response from one of the vendors you have supplied with virus samples. > My next step was to re-format and install things from scratch. This is probably not neccessary. Just delete, or rename, all infected files, then re-install these (as you need them, at all) from original, write-protected distribution disks. Good luck, Otto Stolz - - -- Er wittert kurz, klemmt sich den Computer fester unter den Arm und springt los. Ein tierischer Knall, und das Ger Glas erfullt die Altl winselt Gathman und reibt sich sein arg l Windows fur Einsteiger!!" Aus: Der Stern #10 (3. M ------------------------------ Date: Fri, 03 Mar 95 16:39:50 -0500 From: (ISMO/CMS DSN 365-6958 ACID DASP30) Subject: Coffee Shop (PC) We have had the Coffee Shop virus on 2 separate DOS based PC's. It was detected by VDS version 3.0r and verified with IBMAV version 2.1. It had not been activated. It was found in an .EXE file which was inside a .ZIP file. A scan of the zip file using NAV version 3.0 with the "scan zip files" option on identified the virus. Clean-up was accomplished by positive erasure using Norton Wipeinfo.exe. Coffee Shop is also listed by the names: Coffee-1568 Coffeeshop The virus origin is unknown at this time. Have a disease free day! *********************************** * Sgt Thomas E Davis * * Network Administrator/ * * System Security * * Camp Pendleton, Ca. * *********************************** ------------------------------ Date: Fri, 03 Mar 95 18:03:23 -0500 From: Brian Risman Subject: Re: F-PROT Gatekeeper Antivirus - free test phase in progress (PC) Mikko Hypponen wrote: > We are happy to announce that the free public test phase of our > F-PROT Gatekeeper for Windows antivirus product has started > today, the 22nd of February 1995. I found that F-Prot Gatekeeper caused several crashes of my system due to memory violations ! Any advice ? Brian ------------------------------ Date: Fri, 03 Mar 95 21:30:38 -0500 From: patp-nyc@ix.netcom.com (Pat Patterson) Subject: Re: STELBOO virus (PC) A friend reports that he has a virus that announces its presence when he turns on his laptop: "STELBOO virus is active" appears in a box on the screen. He has been told to bring the computer into a shop where he will have to pay $75 to wipe everything off, put on an anti-virus program, and reload DOS. Anybody know another solution? Pat Patterson patp-nyc@ix.netcom.com ------------------------------ Date: Fri, 03 Mar 95 21:54:55 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: procedures to follow (PC) If you believe that you have a new or unknown virus, follow the seven steps below. a. Boot from the hard disk of the computer suspected to be infected. b. Format a low density diskette in A: of the infected computer. c. Copy AUTOEXEC.BAT and CONFIG.SYS from C: to this diskette. d. Copy all files loaded in AUTOEXEC.BAT and CONFIG.SYS to this diskette. e. Copy a few COM and EXE files to this diskette, preferably programs that you often execute. Their size should 10K - 40K. f. Run all files on this diskette twice. g. Mail to one or more of the A-V researchers. Bill 9CCD47F3C765CA33 bill.lambdin@woodybbs.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * KENEDY activates Nov 18th ------------------------------ Date: Fri, 03 Mar 95 22:14:33 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: Taipan (PC) >eaiu184@ea.oac.uci.edu writes > >I recently came across the Whisper.Tai-Pan virus; luckily, I had the >McAfee's VShield installed, and it managed to warn me about the virus >and prevented the infected program from loading. Scan's /clean option >took care of the infection. > >Could someone please tell me more about this virus? This is the first >one I've encountered. I am aware of two variants of Taipan. Taipan.438: This is a resident infector of .EXE files, and infected files contain the following text "Whisper presenterar taipan" This virus is not stealthed, and infected files grow in size by 438 bytes. Taipan.666: This is a resident infector of .EXE files. Infected files contain the following text "DOOM2.EXE Illegal DOOM II signature Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2 Say bye- bye HD The programmer of DOOM II DEATH is in no way affiliated with ID software. ID software is in no way affiliated with DOOM II DEATH." This virus is not stealthed, and infected files grow in aize by 666 bytes. Neither virus is deliberately destructive. Bill 9CCD47F3C765CA33 bill.lambdin@woodybbs.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * JERUSALEM (Arnakia) activates Tuesday the 13th ------------------------------ Date: Fri, 03 Mar 95 22:27:25 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: Microsoft and Form (PC) >gcluley@sands.co.uk writes >You may be interested to hear that the top story in the UK at the >moment is that according to reports in the computer industry press, >Microsoft have accidentally distributed the Form virus. I have heard similar reports before; but further investigation showed these people has bought a previously owned copy of Windows 3.1 that has been re shrink wrapped. Bill 9CCD47F3C765CA33 bill.lambdin@woodybbs.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * Trend Micro Devices. (800) 228-5651 ------------------------------ Date: Sat, 04 Mar 95 07:05:22 -0500 From: mannig@world-net.sct.fr (Gerard Mannig) Subject: Strange messages in BS : here is the response ... (PC) Hi AV community ! Mikko HYPONNEN very quickly answered my mail to you, days ago. He asked me to forward the following posting to all Here it is >> levy virhe tai ki seess.ei ole > >It's Finnish for 'Non-system disk or disk error'. This is the standard >error message inserted to boot sectors by Finnish versions of MS-DOS. >So, probably not a virus. Thanks anyway for your responses Regards, Gerard - ------------------------------------------------------------------------------ Gerard MANNIG Virus Consultant Phone/FAX : +33 (16) 3559-9344 EMail : mannig@world-net.sct.fr Member of R . E . C . I . F data +33 1 3415-4959 - Voice machine +33 1 3072-9443 - -=-=-=-=-=-= PGP public key available on request -=-=-=-=-=-=-= Obstacles are those frightful things you see when you take your mind off your goals ------------------------------ Date: Sat, 04 Mar 95 09:02:33 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: DAME (PC) chess@watson.ibm.com writes "DAME" is (among other things) an abbreviation for "Dark Avenger Mutation Engine", a piece of software that some Dame is also the initials for Dark Angel's multiple encryptor. Bill 9CCD47F3C765CA33 bill.lambdin@woodybbs.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * KARIN activates Oct 23rd ------------------------------ Date: Sat, 04 Mar 95 09:03:35 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: FORM (PC) >psykrdm@hhn1.hughall.nottingham.ac.uk writes >Is it possible to remove the FORM_E (form varient) boot virus? > >If so how? Form resides in the boot sector of diskettes, and the boot sector of active partition of the hard drive. I have successfully removed Form by booting clean from a bootable diskette, then sysing the active partition. On rare occasions when I have not had a bootable disk handy, I have SYSed the active partition, then turned off the computer for a few seconds, and booting from the hard drive. to get rid of form on diskettes, copy the files to the hard drive or another floppy, and format the infected diskette. Bill 9CCD47F3C765CA33 bill.lambdin@woodybbs.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * CASINO activates Jan 15th ------------------------------ Date: Sat, 04 Mar 95 09:06:33 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: My comments about Invirci (PC) I am not saying derogatory things about Invircible just to be disagreeable. I tested Invircible myself, and found IV fataly flawed before Keith Jackson, and others reached this decision for themselves. Here are some of the major flaws I found in IV 6.01B. I was unable to find 6.01C for testing. The integrity checker in IV failed my modified files test (reported only 4 of 6 modified files. F-Prot professional, Integrity Master, TBAV, and Victor Charlie passed the same test with ease, then went on to detect every single virus I threw at them. Invircible selects signatures from files instead of checking the entire file. This is a very stupid mistake. It would be better if IV checked the complete file, or calculated CRCs for the file. The signatures will miss viruses. The integrity data files are placed in every directory, and all of the files are named the IVB.NTZ. Meaning they are open to attack from viruses. To be fair; IV does have an opition to rename these integrity data files, but end users will not rename the integrity data files unless they are educated about the importance of this issue. Page 10 virus; deletes integrity data files used by CPAV, MSAV, and TBAV. Groove virus; deletes integrity data files used by CPAV, NAV, NOVI, and Untouchable. Any program that names all integrity data files the same, and places them on the hard drive is a SITTING DUCK for attack from a virus. If these data files are deleted or corrupted, the generic detection is gutted for all practical purposes. This is why I refuse to recommend CPAV, MSAV, and others. The generic virus detector in Invircivle only checks for modified executable files. This sounds good enough, but it isn't near good enough! Frodo, Jerusalem, Green Catepillar, and many many other viruses infect any file as they are loaded and executed with the DOS function call 4B used through Interrupt 21. I have seen overlay files, and executable programs loaded through this function call that happened to have the following extensions and others .VR1, .DAT, .SRX, .PLX, .CVX Let's use Invircible's own words against itself and assume IV CAN detect, and remove 100% of viruses it encounters. Since IV only checks executable files, if one or more of these overlay files get infected, the next time an infected file with non executable extension is used; the virus, will start another infection. and at next bootup, IV would find the virus on executable files again. So IV would never eliminate all traces of the virus because IV doesn'T have an option to check the integrity of ALL FILES.. Now let's take IV's claim to remove all viruses. this is blatantly preposterous. Either Zvi is poorly informed about viruses, and tricks viruses use or he is lying. some viruses are written so badly, they corrupt files. If you remove the virus, you have a program that no longer runs. Then you have to consider overwriting viruses that write the virus over an infected file. MPC.Sara (I believe this is the correct name) over writes the file and discards the rest. There is no way anyone can build the file back to a functioning state when the entire file is gone! This is why I never recommend for users to remove viruses, but to delete infected files, and restore the files from original diskettes or backup. Cleaning should only be used as a last resort. Viruses used in testing of IV 6.01B. AIDS2 IV failed to detect and report the additional .COM files placed on the disk by the virus. Cascade 1701B Invircible detected the virus in RAM, and in infected files. Frodo IV reports Stealth virus in RAM when Frodo is in RAM. When Frodo was not in RAM, IV successfuly reports infected files. Tremor IV did not detect Tremor active in RAM. even though it had hooked into Interrupt 21, and taken 4288 bytes of RAM. IV failed to detect and report files infected with tremor Trivial.Vootie.A This virus overwrote every file on the disk including IV, all bait files, and IV's integrity data file. Since IV was overwritten, IV was not able to run. This is precisely why I recommend for the integrity checker to store all data files on a rescue diskette I sent private and encrypted E-Mail to Zvi Netiv (The author of Invircible) expressing my concerns about these security issues and offered him several suggestions to help him improve his program. Zvi responded with flames, and said he didn't want any of my suggestions good or bad! It's true that I don't program in assembly, but I doesn't need to be an expert .ASM programmer to spot security problems in A-V software especially when I work with viruses on a daily basis. Vesselin Bontchev. Dr. Keith Jackson Ph.D, myself, and many other have offered comments to improve Invircible. Zvi doesn't appear to be interested in improving IV; because he returns with flames, and invents more technobabble than anyone else I know in the A-V industry. We don't offer these suggestions to be mean. We offer them so the program will evolve and become better. The end users of IV are going to be hit hard when they encounter a virus that happens to use one or more of these and other security flaws in IV. I wish Zvi would spend a little time patching the gaping holes in IV instead of continuing to defend an undefendable position. I am not an A-V developer. amd I have no intention of doing so. Why would I write a substandard product when it could not possibly compete with AVP, TBAV, F-Prot, Integrity Master, or any of the plethora of other A-V software available. I am not affiliated with any A-V developer. I recommend A-V software that has passes my tests, and I don't make one cent from this research. I do this because I find viruses extremely interesting. Zvi implies that I am part of a comspiracy with Vesselin, Dr. Keith Jackson, Frans veldman, and other to demolish the credibility of IV (after testing, I'm not sure IV has much credibility at all.). I make these comments because I found these flaws in IV myself, and will never recommend IV until most of these holes are patched. Of course I will probably receive tons of hate mail from this article, but I refuse to be bullied into fostering a myth that IV is the best A-V program available. Bill 9CCD47F3C765CA33 bill.lambdin@woodybbs.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * Intel sent Michelangelo on copies of LANSpool ------------------------------ Date: Sat, 04 Mar 95 09:19:17 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: In Vircible - A Recent Review - Where to obtain? (PC) fdeeg@ix.netcom.com (Fred Deeg) writes: >What peaked my interest in this product was a recent newspaper article >in a LA (CA-USA) newspaper, "The Daily Breeze", written by a Dwight >Silverman of the "Houston Chronicle". He reports on a study recently >done by Paul Williams @ Compaq Computer. >From what I have heard about this study, it sounds either as a total fabrication, or just done in a totally incompetent way, as it was, well comparing apples and oranges. Instead of comparing Invircible to the integrity checkers out there, like Integrity Master, it was only compared to scanners....something I see as *highly* misleading. As a *scanner*, Invircible is bad...very bad...down at the bottom, together with MSAV. However, Invircible is not primarily a scanner ... and it should IMHO be compared to other similar programs, not to a totally different set of programs. >amazing 100 percent virus detection rate, with a 0 percent >false-detection rate, including when tested against brand new >visuses". Any decent integrity checker should get a 100% detection rate, and 0% false positives.....provided that you install them first, before your machine gets infected. - -frisk ------------------------------ Date: Sat, 04 Mar 95 10:58:04 -0500 From: crwilson@PPP.USIT.NET (Bob Wilson) Subject: PMBS - info? fix? (PC) F-Prot's Gatekeeper tells me that PMBS is loading itself into memory in my machine. None of the other scanning or cleaning software I've found yet can identify or remove it. Does anyone have any information about this virus, or know what software to use against it? ------------------------------ Date: Sat, 04 Mar 95 13:29:18 -0500 From: EVANSJ@cia.com (Jeff Evans) Subject: Re: MONKEY-2 help! (PC) unclesam@bu.edu (Sam Chi) wrote: > I just used the IBM Anti-Virus Stand alone program and found the >MONKEY-2 virus in my system memory. What do I do? All my disks could be >infected. How does one get rid of this thing and does it spread onto the hard >disk? Does it get worse when programs are executed? I need to know more and >fix this! Any help would be greatly appreciated! There's a program available from ftp at oak.oakland.edu/SimTel/msdos/virus called killmnk3.zip - This program quickly removes the Monkey from memory and can de- monkey a diskette in about 2-5 seconds (on a 486DX2/66). I found out I had it last night, and was suprised how quickly it fixed my computer. Jeff. ------------------------------ Date: Sat, 04 Mar 95 16:04:34 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Virus - Espejo (PC) SpamBoy@ix.netcom.com (Ben Camp) Re: Virus - Espejo (PC) 1 Mar 1995 18:15:12 - Wrote > Mr Israel Kay <100112.2001@compuserve.com> writes: > >>Ian Guthrie writes: >> >>> F-PROT 2.16 has detected a new virus called ESPEJO that we believe is >>> from Mexico. F-PROT is not able to disinfect this virus. Any assistance >>> is appreciated. >> >>Espejo is fairly new. It is a boot sector virus and part of it is >>encrypted. It has a message in Spanish: >> >>"Esto te pasa por programas que a nosotros nos cuesta tanto trabajo >>hacer. Que te quede de Experiencia, Mexico,1994" > I can try and partially translate it (remember, I'm a 7th grade, 2nd > year studen, so don't expect this great translation).. > Esto te pasa por programas que a nosotros nos cuesta tanto trabajo > hacer. = (Maybe) This will pass to you through programs we make for > cost. > Que te quede de experiencia Mexico, 1994. > To you that <> of experience? > That's about as good as I can do, someone else? Ok, Your translation is good. Don't let You Down :-) The message says: "This happens to You because programs that We take a lot of effort to do" "Remain it of experience Mexico, 1994" And may be more clear if the person(?) who did this virus write (Obviously miss some words in Spanish): "This happens to You because You (pirat or copy ) programs that We take a lot of effort to do" "Remain it of experience Mexico, 1994" Regards (saludos) Ruben Arias - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 04 Mar 95 16:04:37 -0500 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Virus on Night Owl 15 CD (PC) steven.hoke@expressl.com (Steven Hoke) Virus on Night Owl 15 CD (PC) 1 Mar 1995 18:15:25 - Wrote: > > There is a virus (Taipan.666) on the new Night Owl 15 CD-ROM in the file > DMNCHEAT.ZIP. The virus can't be detected in the infected file with > F-Prot 2.16, SCAN 215, or TBAV 6.32. I'm assuming its because its been > packed with LZE, ICE, DIET, or some other compression program and the > header modified so the scanner doesn't detect that the file is packed. > Once the file is run (the executable is NETCHEAT.EXE), and the virus > goes resident, it infects other EXE files which can then be detected > normally by F-Prot (as Taipan.666), SCAN 215 or TBAV 6.32 (both detect > it as the Doom II Death Virus). > You will find more information about TAIPAN.666 in "The Scanner" (text review about viruses and security). Bill Lambdin describes and analyze this virus in deep. The issue of the scanner is Snr9501 and You could have more information about FTP sites to download it at HRRWood@aol.com (Mr Howard Wood) Hope this help, regards Ruben Arias - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mal: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 04 Mar 95 17:57:44 -0500 From: changshe@OCF.Berkeley.EDU (Shenglin Chang) Subject: Help to kill "Parity Boot" Virus!!! (PC) Does some one know how to get rid of "Parity Boot" virus form PC? I try to tetect it by Norton Fix-it 3.0, but it dosen't work. If some one have any idea about how to deal with it. Please post on this news group, or email to the following addresses: changshe@ocf.berkeley.edu schang1@ced.berkeley.edu I appreciate your help!!! - --Shenglin ------------------------------ Date: Sat, 04 Mar 95 23:02:58 -0500 From: ccdunk@delphi.com Subject: Re: Looking for info on Vsign/Cansu virus (PC) I use f-prot 2.16 set up for automatic disinfection -booting from a clean write protected floppy and have no prob getting rid of Cansu virus. Good luck Chuck Dunkirk ------------------------------ Date: Sat, 04 Mar 95 23:06:05 -0500 From: cmorriso@plains.NoDak.edu (Emerald) Subject: Question about F-Prot (PC) I work at the local college, and we have been having several problems with the Stoned Monkey and Ripper viruses. We have been using F-Prot to clean these viruses off the machines. It worked fine until we got the new version 2.16 of F-Prot. Now, we cannot seem to clean the Stoned Monkey off the machines. It works if we are cleaning a disk, but when we reboot with a clean boot-disk and try to clean it off, it will not do that. It still works with Ripper (if caught soon enough). I would appreciate any help with this. Crystal Morrison Dickinson State University, North Dakota cmorriso@plains.nodak.edu - -- _/_/_/_/ _/_/ _/_/ _/_/_/_/ _/_/_/ _/_/ _/ _/_/_/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/cmorriso@plains.nodak.edu _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ ------------------------------ Date: Sun, 05 Mar 95 09:52:02 -0500 From: Shane4@ix.netcom.com (Shane Turner) Subject: Virus scan software for Windows NT 3.5 Server (PC) Does anyone know the name of the virus scan software for Windows NT 3.5 Server that's made by a company in Israel. I've been told that it's real good software but don't know the name of the software or the name of the company. How can you obtain this software? ------------------------------ Date: Sun, 05 Mar 95 14:25:18 -0500 From: aberb@dgs.dgsys.com (B.Aber) Subject: Triple Virus Protection all in one. (PC) I have a method of virus scanning that works fantastically, from 3 different virus scanners. For those of you who are BBS sysops, or used to be, you may have heard of the program THDPRO. This program incorporates Mcafee, Thunderbyte, and F-Prot, and CRC Checking, all in one package (of course you need to get the 3 virus scanners and THDPRO). This program can be used with BBS systems, as well as stand-alone, and I find it to work very effictively in the fight against viruses, since it does different methods of scanning, both standard and heuristic. It can be configured to virtually everyones needs, I strongly recommend this program. B.Aber aberb@dgs.dgsys.com ------------------------------ Date: Sun, 05 Mar 95 16:52:02 -0500 From: JMJOST@ix.netcom.com (Jeff Jost) Subject: Re: What virus is this? (PC) wang@cwmsd.mse.cwru.edu (L. Wang) writes: >Wednsday, 2/22/95 (is it special?), one of our pentium machines got a strange >symptom. After we upgraded our Stealth 64 DRAM video driver, we had some >display problem. Then, the windows crashed, we tried to reboot. Now, we get >'missing operating system' message. We suspect this is the result of some >kind of virus. So, we run several virus detection programs, including F-prot >2.16 and IVscan stuff, none of them can access C drive (In IVscan we did get >'low memory' message). and the memory isclean. We also tried fdisk /mbr, still >can not get access to C. We thoughtwe were out of luck. Suddenly, in the >middle of running IVmenu, we'redoing some boot sector restoration something ( >I can't recall the exactprocedure, in three hours, we tried some many things) >and reboot it. We can get into C:\. Then, we run virus scan for the C. No >trace of virus was found!! It suddenly just disappear. > >Now, the question is, Is is a virus symptom? We don't think it's the system >configuration problem and not the video driver upgrading problem , either, >'cause we've done that before. Had similar problem around the same time, but do not think it was a virus. I received boot sector problems and even received virus messages during scan with multiple products. Bottom line, return video card back to VGA only and reinstall all software. Run it this way for a few days and then gradually raise your resolution. See if you still have problems. The ATI mach 64 does have some problems and maybe just on Pentiums (not sure) with video displays and memory issues. ALSO, make sure you only are using ONE memory resident Virus program otherwise you will receive false messages during a second products' memory scan. Good luck! Jeff (finally stable after many days!) ------------------------------ Date: Sun, 05 Mar 95 17:03:01 -0500 From: JMJOST@ix.netcom.com (Jeff Jost) Subject: Re: Fighting The Stealth C (PC) samwick@sol.cms.uncwil.edu (Mark Samwick) writes: >How does the Stealth-C differ from the Stealth-B? I have a client >that got the Stealth-B virus on his system. McAfee Viruscan >properly identifies it, but can't seem to get rid of it (version >2.14). Any ideas? Make sure you are booting from a CLEAN boot disk. The Stealth C virus is a full stealth virus and will infect all boot sectors on floppies as well. McAfee 2.16 will clean this virus but not if you already have this virus in your memory. Do not load any infected TSRs either! Jeff ------------------------------ Date: Sun, 05 Mar 95 17:58:43 -0500 From: duckman@pcnet.com (God) Subject: newest mcafee scanner (PC) Could someone tell me what the name of the newest Mcaffee virus scanner is? I've been here for a while, and have yet to scna my hard drive, so I thought I should. Thanks. God. (duckman@pcnet1.pcnet.com) ------------------------------ Date: Sun, 05 Mar 95 19:01:32 -0500 From: ccastcr@prism.gatech.edu (Chris Rake) Subject: Need help removing WXYC boot partition virus (PC) I need some help removing the WXYC boot virus from a friend's computer. I have a policy of scanning people's computers before I copy files off of them - and this time my policy paid off. McAfee Scan detected this, but could not remove it. My friend does not have a copy of the boot partition - so we can't just copy over the current. What can we do to try to remove this pain! (Or what can we do to avoid activation?) - -chris - -- Chris Rake - Office of Information Technology - Unix User Assistant - -- WWW Home Page [UNDER CONSTANT CONSTRUCTION] == New Site! == http://photobooks.atdc.gatech.edu/~zync/factory.html ------------------------------ Date: Sun, 05 Mar 95 21:25:02 -0500 From: jmnho@stcon2.kaist.ac.kr (Ji -Myong Nho) Subject: HELP !!! Michelangelo Virus !!!!! Dear Every Master. I think that my system is infected with Michelangelo virus. It became unbootable!! Please.. Help me.. First.. I want to know symptoms of it. And if my machine can be treated, let me know the treatment for it. Thanks A Lot !!!.. [Moderator's note: VIRUS-L/comp.virus received numerous similar messages to this one. I've only accepted this one (the first one that arrived), and deleted the rest. Please post follow-ups to the entire group, for the benefit of those that didn't get their submissions in the digest.] ------------------------------ Date: Sun, 05 Mar 95 22:04:26 -0500 From: looksoft@globalx.net (R. Livingstone) Subject: Need Info about viruses? Get VSUM... (PC) A lot of recent messages posted on this news group are about inquiries to know more about a particular virus. May I suggest to get VSUM from Patricia M. Hoffman (BBS:1-408-244-0814). She works hard to bring more information about viruses out there and deserves attention. The engine has the form of a compressed data base with a lot of information about a lot of viruses. It has a built-in search engine that allows you to browse the whole database for a specific string. Some ARCHIE search may indicate an FTP site where you can get it. There is also the VID database that you can get. ------------------------------ Date: Mon, 06 Mar 95 03:44:34 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: Vinchuca 1.0 (PC) _____________________________________________________________________ Preliminary analysis of Vinchuca 1.0 by W.H. (Bill) Lambdin Name ] Vinchuca 1.0 Size ] 925 bytes Infects ] .COM files. Does not infect COMMAND.COM Scan String ] 17 7C A6 B9 24 30 7F AE 8E 2D 57 A8 2B 17 20 In the wild ] Yes. Argentina ] Armored ] no Detected ] I_M 2.42, and Find Virus. Encrypted ] yes Interrupts ] 9h 21h 24h Load Address ] bottom of memory. Polymorphic ] no Resident ] yes Size in RAM ] 1246 bytes Stealthed ] no Text ] Saludos para SaTaNiC BRaiN Patorzu. Virus ViNCuCa V1.0 ] 1993. Creado por MURDOCK Buenos Aires, Argentina. Su PC ] tiene Mal de chagas. Type ] Resident infector of .COM files. A prepending virus. You will only need to use this temporary scan string until the Scanner authors can update their software to detect this virus. This is only a "Preliminary" analysis, and may be incomplete. Bill Lambdin _____________________________________________________________________ Bill 9CCD47F3C765CA33 bill.lambdin@woodybbs.com C77D698B260CF808 <-PGP fingerprint codes - --- * CMPQwk 1.4 #1255 * Hacked version of Q-Modem. 4.51 ------------------------------ Date: Mon, 06 Mar 95 04:51:41 -0500 From: delarosa@ix.netcom.com (Luis de la Rosa) Subject: Ripper Virus : Please Help (PC) I have the Ripper virus on a few of my floppies and when I use the latest McAfee for DOS (2.1.4), it says that it is in the boot sector and that it cannot be removed. Is there any good way to remove this virus? I've had to copy all the files onto another disk and then reformat the whole floppy. Sometimes Norton Disk Doctor would remove it by "fixing" the boot sector so that it would be a bootable disk. Thanks! - -- ====================== Luis de la Rosa delarosa@ix.netcom.com ====================== ------------------------------ Date: Mon, 06 Mar 95 07:41:49 -0500 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: F-PROT, VIRSTOP & Windows? (PC) Christof Tebbe (rz94-004@wsrz1.wiso.uni-erlangen.de) wrote: > I use Virstop with the following parameters: > /boot /copy /warm /freeze The specified parameters may have a undesired side effect: Suppose that you are editing a new document, and decide to save it on a floppy. The diskette you use happens to be infected with a boot sector virus. VIRSTOP finds it, and hangs the machine because the /freeze parameter is in effect. Probably that's not what you wanted. If you're using a Windows app, that will mean that any other open files (perhaps being used by background tasks) may at risk as well. When I tried this with v.216, I had to reboot within Windows or cold boot to exit. What would be nice is a switch that will freeze only on attempted execution, not merely on access. Either that, or have an on-the-fly disinfect floppy boot record option (with user permission, of course). > By try-and-error, I found out that Virstop will stop the computer due to > these parameters if I access a virus and too, the mouse cursor changed > it's colour to a brownish red! So, if I have a red mouse cursor, I know > what has happened... Including the /freeze parameter?!? I'd think the fact that the machine hung would be a lot more noticeable than the color of the cursor! -BPB ------------------------------ Date: Mon, 06 Mar 95 11:36:15 -0500 From: zepeda@am06.wg2.waii.com (Dan Zepeda) Subject: Re: help I have a virus.. I think. (PC) It's probably just some filename that a dumb program created with a space in the filename. Forget all that alt-255 crap, just put a question mark (?) in everyplace that there is a space in the filename. c:\> ren jen?on.b jenon.b then use type to look at it, (or some file viewer that you like), to make sure that you don't delete something that you want. SpamBoy@ix.netcom.com (Ben Camp) writes: |> dalevy@sam.neosoft.com (David A Levy) writes: |> >Help me I have found a strange file on my hard drive that I cannot get |> rid of. |> >it is listed as: |> > |> >JEN ON B 15227 1/26/95 a |> > |> >when I try and change the attribute I get a message that the file |> cannot be |> >accesed. When I try and delete the file I get a message that the file |> does not |> >exist. I have used the latest version of wscan to no avail it |> does not |> >find a virus present. Am I missing something easy? |> >Please help me I don't know what to do next. |> Well, 1st of all, I would use list, or Xtree Gold, Or Windows to delete |> it, if you havent tried this.. |> (Assuming your using DOS) |> C:\(Directory the file is in)>DEL JEN(Hold down the alt key, and with |> the numlock light on, on the number pad (Not above the letters, to the |> right of them) hit the number sequence 255 (So.. Alt-2-5-5 w/o the |> slashes) and then let go of alt key)ON(see last parentheses)B |> And if that doesn't work, do the XTREE gold, Windows file manager or |> LISt to delete it.. |> |> |> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Paul Zepeda Western Geophysical Applied Technology Software - Testing e-mail: Voice: (713) 964-6338 Fax: (713) 964-6372 V-mail: (713) 963-2750 x6338 ------------------------------ Date: Mon, 06 Mar 95 13:14:06 -0500 From: alan@earth.execpc.com (Alan Olson) Subject: Whisper Virus Info (PC) could someone please email me any info on the Whisper and/or Whisper-Tai Pan virus (virii?). I recently encounter both on my system. I noticed that McAffee can clean the Whister-Tai Pan virus but not the Whisper virus. Any and all info would be appreciated. Alan Olson ------------------------------ Date: Mon, 06 Mar 95 15:41:49 -0500 From: lj@skua.ims.alaska.edu (L.J. Miller) Subject: SToned, RM (PC) I recently ran f-prot (2.16) on my machine and it said I had a possible variant of stoned in my MBR but it didn't remove it in the disinfect mode. I also ran MacAffee 2.16 and it said i had the RM virus in my MBR but that it couldn't remove it. How can I get rid of the virus? lj@skua.ims.alaska.edu ------------------------------ Date: Mon, 06 Mar 95 15:58:28 -0500 From: Gerrit.Toxopeus@dnc.idn.nl (Gerrit Toxopeus) Subject: Re: Junkie (Junkey, Junky) Virus (PC) to: cdc@ccinet.ab.ca (Rob Chevalier) RC> Does anyone have information on the Junkey (a.k.a. Junkie, Junky) RC> virus. A confused source has informed me that this virus does one of RC> the following: RC> a. Simulates a full hard disk, allowing no writes. RC> b. Simulates full RAM. I would assume this produces an Out of Memory RC> Error. RC> F-Prot didn't detect it, but I haven't tried McAffee. RC> If you have info on this, or have heard of something similar, please RC> reply. I'm using f-prot 2.16 and in the viruslist the Junkie-virus is mentioned. So may be you must try this version if you haven't Greetings from The Netherlands! . "Scotty, beam me up another Blue Wave message." ------------------------------ Date: Mon, 06 Mar 95 15:58:33 -0500 From: Gerrit.Toxopeus@dnc.idn.nl (Gerrit Toxopeus) Subject: Re: Wanted: anti-virus recommendation (PC) to: k12babjj@vaxa.hofstra.edu k1> Help, me, I am a newcomer to the computer world. Can anybody k1> reccomend a good virus scan? Sure, we are using thunderbyte and F-prot on school and at home. They are very fast and easilly in use. You can find them allmost everywhere on the WEB in the directory /pub/msdos/virus, so updates are no problem. I hope, I've informated you enough. Greeting from the Netherlands!! . "Scotty, beam me up another Blue Wave message." ------------------------------ Date: Mon, 06 Mar 95 15:59:36 -0500 From: Gerrit.Toxopeus@dnc.idn.nl (Gerrit Toxopeus) Subject: Re: NYB Virus (PC) to: Alec Al> I just found the NYB virus on my system at work. Here's the Al> problem, NAV won't eliminate it, and I don't want to do something Al> drastic -- like wipeing my boot sector -- with out first knowing if it Al> is destructive or not. Anybody know anything about this virus???? Al> Any help would be appreciated. Well here it comes what the virus does: Name: B1 Alias: NYB Type: Resident Boot MBR The B1 virus is a reasonably simple diskette and Master Boot Record infector. It is only able to infect a hard disk when you try to boot the machine from an infected diskette. At this time B1 infects the Main Boot Record, and after that it will go resident to high DOS memory during every boot-up from the hard disk. Once B1 gets resident to memory, it will infect practically all non-writeprotected diskettes used in the machine. B1 has no particular payload and no text strings. It does not activate in any way, but it will corrupt some diskettes seriously. [Analysis: Mikko Hypponen, Data Fellows Ltd's F-PROT Professional Support] Thanks to F-prot 2.16 !!!!! Greeting From the Netherlands . What do you mean? You actually read this Tagline?!? ------------------------------ Date: Mon, 06 Mar 95 18:05:02 -0500 From: bhamidi@hermes.acs.ryerson.ca (Babak Hamidi - CNED/W95) Subject: Diaria virus (PC) I got a problem I downloaded from an ftp site and ran a program and my computer displayed eat my diaria... and now everytime my computer turns on it freezes after memory check.. help! BH ------------------------------ Date: Mon, 06 Mar 95 18:23:19 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.16D is out (PC) I have just released a new version - 2.16D. This is a minor update, as 2.17 will be released later this month - right after I get back from my vacation.....I will be away until the 23rd, so delays in replying to my e-mail will be longer than usually. - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Mon, 06 Mar 95 19:14:29 -0500 From: Dennis Thomas Subject: Re: Stoned.Empire.Monkey.B vs. F-Prot\Gatekeeper (PC) Greg Margulies writes: >It said to use F-Prot to remove the virus. So, I scanned the diskette >with F-Prot and it said that it was infected and asked me if I wanted >to disinfect it. I said yes and then F-Prot says that it can't find >the original boot sector. It then asked me if I wanted to rewrite the >diskette with something or other "nonreadable code" or something like that. >I assume that this removes EVERYTHING from the diskette. F-prot can't find the original boot sector because stoned hides it and does a bit of dancing around to make the machine boot properly. Listen to F-Prot! It will overwrite the bogus MBR with a good, but non-*bootable* version. It does not do anything to the other portions of the disk. ------------------------------ Date: Mon, 06 Mar 95 22:46:25 -0500 From: gmarguli@huey.csun.edu (Greg Margulies) Subject: Anti-CMOS.B plague?!? (PC) - --------------------------------------------------------------------------- The following is being forwarded for Brett Moseley . All replies should be mailed to that address, not to the address in the reply-to line. - -------------------------------------------------------------------------- Based off my personal experiences, I have noticed 7 different attempts from independent source, to infect me with the Anti-Cmos.B as well as the numerous postings in this newsgroup on this particular virus, I have started to wonder if there is a plague of this virus. I haven't run into any other virii other than this one and this is the first year that I have run into any virii. So is there a plague of this virus? -Brett- PS - My thanks to F-Prot as well as ThuderBytes memory resident scanners for successfully protecting me against this virus... numerous times ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 23] *****************************************