VIRUS-L Digest Thursday, 30 Mar 1995 Volume 8 : Issue 29 Today's Topics: Re: Virus Bulletin Memory, CMOS, printers etc. (was FAQ and questions) Re: FAQ and questions Re: Virus suite? Biological vs. Computer viruses whisper.tai_pan (PC) help [Whis] virus (PC) How to remove Filler virus? (PC) Crusades Virus (New PC Virus?) (PC) Michelangelo bug? (PC) NOINT virus (PC) Re: HELP!! DH2 Virus (PC) Re: strange ASCII statements in Windows-formatted floppy disks BS (PC) Has anyone seen this one? (PC) Re: twelve tricks virus (PC) unknown virus? (PC) How to get rid of NOV(EMBER) 17 virus (PC) Can a virus kill a hard drive? (PC) a virus? new? old? (PC) Re: Need help selecting virus softwares (PC) Is this caused by a known virus (PC) Non DOS boot sector infected with JUNKIE, now what? (PC) Re: Virus Suite? (PC) Unknown Virus?? (PC) Norton Anti-virus updates? (PC) Tequila Virus (PC) ANTIEXE Virus (PC) New QRRY virus (PC) Re: Need Info about viruses? Get VSUM... (PC) Help finding WELCOM_B (PC) How many antivirus products does it take? (PC) Stealth B viruses in Atlanta and D.C. (PC) A Known Virus? (PC) Re: need help to get rid of form virus (PC) What is ThunderBYTE? (PC) RE: Zingo (Virus-l:8|25) (PC) Is This File a Virus? or a legitimate file? (PC) Non DOS boot sector infected with JUNKIE, now what? (PC) URKEL virus? (PC) AntiExe Virus (PC) Re: HELP !!! Michelangelo Virus !!!!! (PC) qwxyc01.zip - Removes WXYC virus from HDs and diskettes (PC) Norman Data Defense Systems Introduces Free Service VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 21 Mar 95 12:17:21 -0500 From: "Frans Veldman" Subject: Re: Virus Bulletin EMD Enterprises writes: > Subject: Re: Virus Bulletin > > Velman@esass.iaf.nl (Frans Veldman) writes: > > FV> 3) Virus Bulletin may be affiliated with one specific product, but: > FV> Several other people from other anti-virus companies are affiliated with > FV> Virus Bulletin. One example is Fridrik Skulason who is also technical > FV> editor of Virus Bulletin. Note that Frisk and Sophos are competitors. If > FV> ever the impression arrises that Virus Bulletin is the marketing arm of > FV> Sophos, all these 'foreign' people working for Virus Bulletin will > FV> disappear. They are still there... They guarantee the independance to > FV> some degree. Of course I also have had quite some discussions with Virus > > I think the most significant word here is "to some degree". No, it is not. Of course there are always minor, and most of the time unintended, biases. You can't get rid of that in any way. > FV> To my experience and opinion, this is not true. We also have an anti-virus > FV> hardware product, just like you. We still sell it, but if we explain the > FV> pro's and con's of both our products (software based and hardware based) > FV> people prefer the software based solution. > > Every one knows that you make a bigger margin by selling a > software product. If you have both a hardware and a software solution > for the same problem, from business point of view there would be very > little incentive to promote the hardware product over the software > product even if it is superior. Margin isn't always the main reason why you promote a certain product. If that were true, we didn't sell the hardware card at all. > FV> Consider for instance a company with 5000 PC's. Do you really think they > FV> like the idea to open up 5000 PC's to insert a card, then to reconfigure > FV> all the memory managers (because an Eprom is added), to find a hardware > FV> conflict in 2% of the cases (still being 100 PC's! (= 100 employees > FV> stopping their work)), etc? And then I'm not even speaking about the > FV> prices of a hardware product which can not be discounted as much as > FV> software. > > Adding a hardware card is not as difficult as it appears at > first. What you need are efficient utility programs which would find > empty memory locations and reconfigure memory managers automatically. > EMD Armor Plus comes with these types of utilities. Forget it. I have quite some experience with automated installation of a hardware product. It can't be done. It is too detailed to explain it here, but if I mention that certain network cards simply lock up even if you try to access a certain memory location, and that IO/ports can never be tested for availability, that certain BIOSes simply assume that an extension BIOS must be a disk BIOS and that they simply refuse to boot in that case, etc. you can imagine the troubles. > As regards cost, it is important to keep in mind that there is no > need to install frequent updates with a hardware protection. A product > like EMD Armor Plus offers an "Install and Forget" solution. The user Wrong too. True, we didn't had to update the card to cope with new viruses. Instead, we had to update the card to become compatible with DOS 5+, DR-DOS, Windows, upper memory, etc. > saves time and money subsequently by not having to update the virus > signatures periodically. In the long run this type of product costs > less than scanner based anti-virus products. I wish you succes. - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 8894 22282 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 8894 50899 2:282/222.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Tue, 21 Mar 95 14:56:57 -0500 From: "Rob Slade, Social Convener to the Net" Subject: Memory, CMOS, printers etc. (was FAQ and questions) The question basically had to do with different types of memory, and the ability of viral programs to "store" or use periperals as vectors. DRAM is dynamic random access memory. This is the normal type of memory in your computer. It is cheaper to produce than static RAM. (DRAMs require one transistor and one capacitor per bit of memory, SRAMs require eighteen transistors per bit. DRAMs require extra circuitry in the computer, but the extra circuitry costs less than the savings in using DRAM.) None of this has anything to do with viral programs one way or another. Video RAM is architecturally the same as normal computer memory (at least, that is the way it works in MS-DOS machines), and you can even run programs or keep "resident" programs in it. Some viral programs *do* install themselves in video RAM, somehow believing that this will help them evade detection. It doesn't. In addition, if the video system switches into a md ode which requires more memory, the virus (and any other programs in that space) will be overwritten. Of course, as soon as you turn the computer off, everything in video RAM disappears. CMOS memory is backed up with a battery, and doesn't disappear when you turn off the computer. (At least, not until the battery goes dead.) However, a) CMOS is very small and b) the architecture for CMOS memory means that you can't run *any* programs from it. Some viral programs corrupt the information inthe CMOS, but they can't "hide" there. Some printers, and some other peripherals such as modems, have non-volatile memory in order to keep configuration information. However, this information is data, on the usual run of peripherals. The printer port on most MS-DOS computers can get "feedback" information from the printer, but this would not be executed as a program. Postscript is actually a programming language, so Postscript printers could be programmed, but they could infect MS-DOS machines in any way. Other types of computer systems *do* have printers which are a) intelligent and b) allowed to submit programming back to the workstation. The Apple Laserwriter works on this model. At one time a Laserwriter virus was reported, but this has never been confirmed by a qualified researcher. Voltages may be maintained in certain parts of the computer system, such as the monitor, after the power has been turned off. However, nothing in the main memory of the computer is reliably retained for more than a fraction of a second after the power is shut off. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ------------------------------ Date: Thu, 23 Mar 95 01:09:22 -0500 From: Mesmer@ix.netcom.com (John Harrington) Subject: Re: FAQ and questions ydawe@calvin.stemnet.nf.ca (Yvonne M. Dawe) writes: > >I have recently read a FAQ from this group but it was dated 18 Nov. '92. >Is there a later version? > >[Moderator's note: It's in the works.] > >Also, not mentioned in that document, is any reference to the possibility >of a virus hiding within memory regions on peripheral devices such a >video DRAM/VRAM or printer buffers. > >Can a virus access/hide in a printer buffer as long as it is powered on, and >can it then infect other PC's connected to the same printer in a sharing >arrangement? A computer maintenance instructor that I know claims that >viruses can remain active in a system even after "power off" due to either >the battery back-up for CMOS or even power remaining in capacitors in the >power supply etc. > >Any hard facts on these possible virus activities would be appreciated. A virus is a _program_. Most people I know do not run programs from the CMOS, which is a collection of data, nor from the printer buffer, which is more of the same. So even if a file you senf to the print buffer _is_ a virus, in there it is only data. The instructor should know better than to pass along drivel to an already overly frightened public! - -- Mesmer John Harrington, C.Ht. 1@2732 WWIVNet Brandon, FL ------------------------------ Date: Thu, 23 Mar 95 01:21:40 -0500 From: Mesmer@ix.netcom.com (John Harrington) Subject: Re: Virus suite? ruben@ralp.satlink.net (Ruben Arias) writes: > >Teach them to VERIFY each "diskette" they have. >By the way, two or the three viruses You name before are boot sector viruses. >Shure that Your students won't boot they machines with a diskette in "A" >drive. Won't they ??? > >Teach them HOW to PREVENT. That is just what I AM teaching. I even teach them how to prevent the computer from EVER booting from A:, which does an excellent job of keeping BSVs out. But for a couple of hours we have been disabling the protection long enough to learn to scan and clean. At that time I usually infect _one_ computer and let them see the havoc that Possessed can unleash on a hard disk drive. Some poor slob then gets to FDISK, Format and reinstall all of the software. At someone else's recommendation I am now evaluating VirLab for possible adoption, although it has a weakness here and there. Regards, John - -- Mesmer John Harrington, C.Ht. 1@2732 WWIVNet Brandon, FL ------------------------------ Date: Thu, 23 Mar 95 08:02:49 -0500 From: fc@all.net (Dr. Frederick B. Cohen) Subject: Biological vs. Computer viruses You might try reading "It's Alive" (Wiley and Sons - 1994) It talks quite a bit about the biological analogy and interactions between computer and biological viruses. You may also be interested in Adleman's work as published in Science a few months ago - he implemented a biological computer (i.e. a virus computer). FC ------------------------------ Date: Mon, 20 Mar 95 20:23:06 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: whisper.tai_pan (PC) Mr. D. Twigg writes: > mcafee ver2.16e detected whisper.tai_pan virus and then clean it up > i rescaned and the secound time i found the whisper (note no tai-pan) > but alas mcafee could not clean it Did you perform a cold boot first, before attempting disinfection? If not do so. > i've never heard of it (which isn't surprising) > any clues anyone? Tai-Pan a.k.a. Whisper was discovered in Sweden around the middle of 1994. It is a virus that goes memory resident and only infects .EXE files. File sizes grow by 438 bytes. It will only infect .EXE files that are larger than 64k. It will not do anything more than replicate once it is in memory. F-Prot, McAfee Scan and Dr. Solomon's AVTK will identify and remove it. Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 181 800 7278 Fax: +44 181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Mon, 20 Mar 95 20:23:04 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: help [Whis] virus (PC) Yaron Yanay writes: > i have the [Whis] virus on 3 .exe files > i use scan117 and scn-216e.zip files > and i got msgs that it can't remove the virus > is there any software that remove the virus ? Note. "Whis" is the McAfee ID for the Whisper / Tai-Pan virus. Tai-Pan also known as Whisper was discovered in Sweden around the middle of 1994. It is a virus that goes memory resident and only infects .EXE files. File sizes grow by 438 bytes. It will only infect .EXE files that are larger than 64k. It will not do anything more than replicate once it is in memory. F-Prot, and Dr. Solomon's AVTK accurately identify and remove it. Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 181 800 7278 Fax: +44 181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Mon, 20 Mar 95 20:23:07 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: How to remove Filler virus? (PC) Humberto Jose Bortolossi writes: > I would like to know if there is an effective way > to remove the filler virus (without formatting the > harddisk!). Filler originates from Hungary. It is a boot sector virus and goes memory resident. It stores its viral code indluding the original boot sector on track 40. Otherwise, it is not known to cause any harm. There are 2 known variants, Filler.A and Filler.B. Dr. Solomon's AVTK and F-Prot identify and remove it. Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 181 800 7278 Fax: +44 181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Mon, 20 Mar 95 20:23:09 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: Crusades Virus (New PC Virus?) (PC) GERRY NEUFELD writes: > Possible new PC Virus > > Suggested name: > Crusades Virus Sorry, but I and a number of my colleagues in the AV industry found this virus over a year ago. It's name is Crusades. It was discovered in a disguised shareware program, SPORT21C.ZIP - a diagnostics program. Infection occurred upon execution of its INSTALL routine. It is related to the Butterfly virus. It differs in as much as it infects EXE files as well. (Original virus only infected .COM files.) > Action: > This virus infects an .exe file. When an infected file is executed, > the virus infects the next .exe file in the directory listing and > then locks the computer by executing a bogus instruction. It is not > memory resident nor does it infect boot blocks or short .exe files. Correct ! > Detection: > When an .exe file is infected, its length increases by 302 bytes > but the file creation date is unchanged. The words "Hurray the > Crusades" occur 176 bytes before the end of the file. The Microsoft > virus detection program does not find this virus. I recommend you use a more up-to-date AV program then your current version of MSAV. There are 2 existing variants of Crusades. One infects .COM files and the other .EXE files. > Elimination: > An infected file may not be restored because the first three bytes > of the code are overwritten with a jump instruction that jumps to > the start of the virus code near the end of the file. F-Prot and Dr. Solomon's AVTK accurately identify and remove the virus. Any corrupted files can be restored from a backup. > Spread: > The only way this virus can infect your system is if you import an > infected .exe file and execute it. > Background information: > > My two sons, Donald & Daniel and their friend, Aaron Burch, have just > found that Aaron's computer has been infected with a virus. They have > isolated the virus and disassembled the code. It infects an .exe file. > When an infected file is executed, the virus checks the directory and > infects the next .exe file it finds and then locks up the computer. In > the middle of the code are the words "Hurray The Crusades" (176 bytes > before the end of an infected file). The virus increases the file size > by 302 bytes. It will not infect an .exe file unless the original file > is at least 128 bytes long. The file creation date is reset to the > original so the file does not appear to be modified by date. Well analysed :-) Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 181 800 7278 Fax: +44 181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Mon, 20 Mar 95 20:23:11 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: Michelangelo bug? (PC) Ethel Kendrick writes: > With yesterday (March 6) being the activation date for Michelangelo, our > computer store got about 6 calls (two today) of people hit with > strange problems. In at least 4 cases we confirmed Michelangelo. Not surprising :-( > Now, the weird part, for some reason, it did not behave as expected > (according to Fprot's listings) and seemed to only erase the entire > first cylinder. We recovered easily by recreating the partition and > all the data was still intact. > Now, Fprot came up with this as a variant of Michelangelo, could this > be some mutant that only kills cyl. 0? Or just a bug in Mich.? The original Michaelangelo virus is fairly difficult to recover from once it has shed its payload. However, there are 11 known variants. They are Michaelangelo.A thru K. Sounds like you have discovered one of them. > Also, anyone else notice that TBAV will not find Stealth_Boot.C if it > is active in memory (no surpise), or even find it by name, but Fprot > not only makes a correct ID, but can also find it even when it's active? Keep up the good work Frisk :) > I think TBAV slipped there... No comment! Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 181 800 7278 Fax: +44 181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Mon, 20 Mar 95 21:31:33 -0500 From: targtace@ix.netcom.com (Ann Wachtler) Subject: NOINT virus (PC) I know that I have the NOINT virus on one of my floppy disks. Mcaffe antivirus confirmed this. But, for some reason, neither Norton Antivirus nor MWAV will detect it. Also, is there some way to clean the disk, short of formatting it??? ------------------------------ Date: Sun, 19 Mar 95 03:14:22 +0000 From: knoxcj@elec.canterbury.ac.nz (c.j. knox) Subject: Re: HELP!! DH2 Virus (PC) Marlon E Menezes (mm5592@ehsn2.cen.uiuc.edu) wrote: : I have a friend whose computer has been infected with the : DH2 virus. Several anti-viral programs later, as well as : a hard disk reformat have not helped. I too have a friend with an infected computer. Virus scanner claims DH2 is present, and nearly all *.COM and *.EXE files have been infected (size has increased by 4kB). Are there any anti-virus packages specific to DH2? Would prefer not to have to use "format c: /u". | +->C.Knox ------------------------------ Date: Tue, 21 Mar 95 12:17:31 -0500 From: y940176@imbi.va.ttu.ee Subject: Re: strange ASCII statements in Windows-formatted floppy disks BS (PC) >Have you ever seen the following ASCII strains in Windows-formatted floppy >disks BS ? : > >levy virhe tai ki seess.ei ole levy virhe - means DISK ERROR (in finnish) tai - means OR (in finnish) ki seess. - got no idea what that could mean ei ole - means NO (in Finnish and Estonian) I know that they translate the windows to finnish, so maybe they have just put the error messages (just in case) in finnish on the disk too.? Guess U just have to ask someone from finland about that ------------------------------ Date: Tue, 21 Mar 95 12:16:55 -0500 From: techie@PrimeNet.Com (Cory M. Powers) Subject: Has anyone seen this one? (PC) I think I have some sort of a virus running around on my systems at work. It sets the Shell= statement in the System.ini to nothing. After you set the shell back to progman.exe. Windows loads and runs fine, however the System fonts used for the icons are changed. --Cory M Powers-- --Mesa, AZ-- ------------------------------ Date: Tue, 21 Mar 95 12:17:10 -0500 From: "Frans Veldman" Subject: Re: twelve tricks virus (PC) Brent Burleigh writes: > Subject: twelve tricks virus (PC) > > Twelve Trick Virus > > While compiling QuickC programs using TesSeRact library my father > encountered many cold-boot type hangings. Eventually, after a HD crash, > NAV reported the Twelve Trick Virus had infected the system. Breaking > out the object files from the .LIB file (NESS??.LIB), none of the virus > checkers tried could locate a problem, but TBSCAN mentioned it was > DECRYPTING an object file, TSGETPOP.OBJ. Although an object file may contain executable code, it is technically a data file: you can't run it from the command line. It is some kind of archive that contains pieces of information for a linker. ALL viruses infect executable files. There are very few viruses which are able to 'infect' data files. Therefor we recommend not to scan for viruses in data files by default. What is the problem here? Simple. TbScan treats the OBJ file as if it were a COM file (this is how most of the viruses would infect such a file it they infect data files at all). Running such an OBJ file from the command line isn't the same as running the code it may contain inside. Since a OBJ file contains all sorts of headers and data files, it can not be predicted what will actually happen if you invoke such a OBJ file from the command line. In this case, the OBJ file coincidentially contained data that looks like a decryptor if you interpret it as code. > It seemed odd that such a simple function like poping a window would need > to be encrypted! We compiled a program that included, but did not use Odd indeed. But, fortunately, it isn't true. TbScan may also 'decrypt' a DOC file if the text inside happens to look like a decryptor if you interpret it as if it were a program. That doesn't mean however that the text in the document is encrypted! - -- Thunderbye, Frans Veldman <*** PGP public key available on request ***> Frans Veldman Phone (ESaSS) + 31 - 8894 22282 veldman@esass.iaf.nl Fax (ESaSS) + 31 - 8894 50899 2:282/222.0@fidonet Fax (VirLab) + 31 - 59 182 714 ------------------------------ Date: Tue, 21 Mar 95 12:21:01 -0500 From: Paul.Willems@rug.ac.be (Paul Willems) Subject: unknown virus? (PC) Hello, We have a computer here with a strange problem : It slows down tremendously. The network connection is not available any more. The user has tried several virus scanners, among which recent ones (december 1994 and januari 1995). Nevertheless no virus could be detected. We have used a clean boot disk and issued an FDISK followed by a format command. After that the software was put back on it from not recently used diskettes. The next day the computer was back slowing down. What did I overlook? No virusses found. Can you provide an efficient anti virus program? Thanks. Paul Willems ------------------------------ Date: Tue, 21 Mar 95 12:20:12 -0500 From: LABBE@stpc.wi.leidenuniv.nl (LABBE) Subject: How to get rid of NOV(EMBER) 17 virus (PC) Hello there, Although most virscanners I know detect November 17, no one has been able to disinfect it succesfully. How come? It seems to be your regular exe and .com virus, does not remain resident in memory and (as far as I know) has no devastating effect on files or partitions. Which Scanner can do the trick? Or is it useless anyway because the infected files are damaged beyond repair? Please respond! Ivo - ------------------Labbe@stpc.wi.LeidenUniv.nl-------------------------------- ------------------------------ Date: Tue, 21 Mar 95 12:20:52 -0500 From: dhill@sw.stratus.com (David Hill) Subject: Can a virus kill a hard drive? (PC) I checked through the FAQ and tried to find the VSUM list that was referenced there, but couldn't... A friend of mine and I were recently infected with the monkey_b virus. I was able to clean it out pretty easily, but he wasn't quite as lucky. His hard drive became unreadable while he was trying to clean the virus away. When he did 'scan c:', it gave him an error indicating that c: was no longer there. This computer is not very old and he had also had a couple problems with his BIOS values going away, so the company that sold him the system replaced the battery about three weeks ago. We thought this might be somehow related and brought it to them. They called him back yesterday and told him that his computer had also been infected by the natv (?) virus and that there was a very good chance that the hard drive is dead and he will have to buy a new one. This doesn't really sound right. It sounds more like a company trying to avoid responsibility for a faulty product. Does anybody know what the natv virus does and if this is possible? Thanks, Dave ------------------------------ Date: Tue, 21 Mar 95 13:23:53 -0500 From: solomon2@GRANDE.NM.ORG Subject: a virus? new? old? (PC) Hi gang. I have recently received a number of reports from friends that their C-drive is no longer recognized. Is this being caused by a virus? F-prot is of no help because it can't get into "C" to fix it. If this is a virus and the boot sectors or something else is being affected how can it be fixed. I would appreciate any help from anyone. Thanks, confused in NM. Ken. ------------------------------ Date: Tue, 21 Mar 95 14:40:12 -0500 From: emd@access3.digex.net (EMD Enterprises) Subject: Re: Need help selecting virus softwares (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote (March 2, 1995): > miseurope@delphi.com (miseurope@delphi.com) writes: >> There are many products on the market for Anti-Virus protection. One >> product which our company market is EMD Armor PLUS, this is a product >> that requires no update disks nor does it use any of the PC's >> conventional memory. Plus it will detect all Known and future >> viruses. > The last sentence in the paragraph quoted above is provably false. I > have looked at your product and it is not much different than any of > the other hardware behaviour blockers on the market. In fact, it is > rather worse than some of them. It fails to detect even some of the > Known viruses, let alone the future ones. Any vendor who makes such > claims is either very unethical and intentionally misleading their > users, or lacks some very basic knowledge about computer viruses. In > both cases their product should be probably avoided. > Note that by "not much different" I mean mostly the hardware behaviour > blocker part of your product. The full package also contains scanners > which are so bad that it is not even worth talking about. > It is interesting to note that the more offensively the producer > claims to provide "the best solution against viruses", the more often > it turns out that their solution is mostly useless. > Regards, > Vesselin - - -- > Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Vesselin, Your comments on EMD Armor Plus virtually amount to slander. You claim to have examined our product. The fact is, prior to your visit to our booth at the recent CeBIT show in Hannover, Germany you most likely never even saw our product. Your colleagues at the University of Hamburg, Prof. Klaus Brunnstein and Sonke Freitag, confirmed this when they met me at CeBIT. Since CeBIT was held from March 8-15, and your posting in Virus-L is dated March 2, I wonder how you can so authoritatively comment on our product without ever having seen it. The allegations you have made about our product are quite serious. Therefore, for the sake of fairness, I ask you to post to Virus-L and comp.virus newsgroups clear and specific answers to the following questions. (a) Have you actually tested or, for that matter, even seen our product before March 2 when you made these comments? Since ours is a hardware product, we track where our units are going. According to our records, and to the best of the knowledge of our European distributors no units have been sent to you or to the Virus Test Center at the University of Hamburg. Can you indeed confirm that you have seen our product before March 2, and from what source you got the product? (b) If you did indeed have a unit, what tests did you run on it? You claim that our product "is not much different than any of the other hardware behaviour blockers on the market. .... In fact, it is rather worse than some of them." What is the basis of these comments? Have you run tests comparing EMD Armor Plus to other products that also claim to provide run time protection? We do feel that our product provides superior protection at run time. The overwhelming response we got at CeBIT confirms our belief. If you think otherwise, would you care to disclose the results of your tests? Incidentally, readers of Virus-L and comp.virus might be interested in knowing what happened when you visited our booth at CeBIT. You visited our booth not once, not twice, but THREE times - every time you attempted to break through the security net provided by EMD Armor Plus. You failed to get past EMD Armor Plus ON EVERY OCCASION. This in spite of the fact that you even wrote software specifically to break our system. Vesselin, your affiliation with an independent virus test center at an academic institution means that your comments may be taken at the face value by many readers of Virus-L and comp.virus. For this reason alone it is all the more important that you can support your sweeping comments by concrete facts. Enrico DePaolis President EMD Enterprises ** Developers of EMD Armor Plus, the generic solution to computer viruses** 606 Baltimore Ave, Suite 205, Towson, MD 21204, U.S.A. Phone: (410) 583-1575 ext. 3020 Email: emd@access.digex.net 24 hour fax-back: (410) 583-1575 ext 4, select document 1015 for EMD Armor Plus ------------------------------ Date: Tue, 21 Mar 95 16:49:59 -0500 From: solomon2@GRANDE.NM.ORG Subject: Is this caused by a known virus (PC) I attempted to post this earlier but somehow it didn't get posted, anyway: Lots of friends of mine have encountered the same problem recently. Their hard drive is no longer recognized at boot. Is this being caused by a virus and if so is there a fix for it? I'd appreciate any info anyone might a virus and if so is there a fix for it? I'd appreciate any info anyone mighthave. Than ks. Ken. ------------------------------ Date: Tue, 21 Mar 95 16:59:23 -0500 From: bjbru@giskard.rdt.monash.edu.au (Brian Bruinewoud) Subject: Non DOS boot sector infected with JUNKIE, now what? (PC) Thanx to my illustrious friends, I have acquired a junkie virus on my home pc. I cleaned it off using McAfee scan 2.1.3 Evaluation Copy and then re-checked the system using /all once and then again using /boot. Nothing found. Then I rebooted the system and it was back in memory and the *.com files called from autoexec.bat were reinfected. Note, the boot sectors, according to McAfee, were NEVER infected. The only thing I can think of is that it has somehow infected the OS/2 BootManager that I use to choose between MS-DOS, OS/2 and Linux. If this is the case, how can I get rid of it? Also, if that's infected, have the OS/2 and Linux boot sectors also been infected and how do I find out/clean them. I just installed a new version of Linux, I'm not going to take kindly to having to do it again. Can junkie survive in a non-dos environment? Need help, need it soon. -Brian. - ------------------------------------------------------------------------ bjbru@rdt.monash.edu.au 's .sig file is currently unavailable, sorry for any incovenience. - ------------------------------------------------------------------------ ------------------------------ Date: Tue, 21 Mar 95 18:58:17 -0500 From: casas@netcom.com (Robert C. Casas Ph.D.) Subject: Re: Virus Suite? (PC) Mesmer@ix.netcom.com (John Harrington) writes: >I am looking for a file or a group of files that will _emulate_ viruses. >Some background: > I teach a course in computers -- building, upgrading, repairing >- -- and include viruses and scanning in the course. I have a small >collection of viruses that I can turn loose in the classroom and feel >safe that they will not escape to the rest of the school; our classroom >computers get reformatted frequenly and noone in his right mind will >copy from them. > >Still, I worry that one of the syudents will take home a copy of >Possessed or Stoned or GenB inadvertantly. > >Does anyoone know of the file or files that I am looking for? Yes, I believe I do. Zvi Netiv wrote an educational program called The AntiVirus Practice Lab. It simulates a variety of file and boot sector virus attack scenarios. The essential point is that the "viruses" will _not_ replicate. They remain in the files, or the boot sector, into which they are installed. The file viruses "announce" themselves when executed and then immediately return control back to the executable file they reside in. The boot sector viruses don't provide a display. However, you can identify their presence with the ResQdisk program enclosed with the package or with the AV program of your choice. The "monkey virus" scenario announces itself by denying you access to the hard drive when you boot from a system floppy. Of course, you can regain access to the drive with the enclosed ResQdisk program. The Lab was designed to work with InVircible - the AV suite written by Zvi Netiv - but it can be used alone or with the AV program of your choice. It is available in the InVircible Vendor Forum file library on CompuServe ( GO INVIRCIBLE ); or, by ftp at: pyro.slip.ais.net/crypto/invircible/avpl102.zip. Please read the entire online hypertext _and_ create a ResQdisk using the enclosed program before trying the boot sector virus attack scenarios. Regards, Robert C. Casas, Ph.D. CPC Ltd. _______________________________________________________________________ Robert C. Casas, Ph.D. Computer Security & Encryption CPC Ltd. Software Sales & Support GO INVIRCIBLE on CompuServe casas@netcom.com <> 73763.20@compuserve.com <> rc.casas@ix.netcom.com PGP|KeyID:18239E91 =>[F0 4A EB 7E F0 B0 9A 45 A6 DE DD 51 FE 77 91 54] _______________________________________________________________________ ------------------------------ Date: Tue, 21 Mar 95 20:31:52 -0500 From: Matthew Avitable Subject: Unknown Virus?? (PC) We appear to be infected with an undetectable virus - the symptoms are: 1) If you format a diskette on the A drive, the diskette either becomes unreadable, or you are told that the is INSUFFICIENT SPACE ON THE DISKETTE TO SAVE A FILE. 2) If you try to scan the computer by booting it from a clean diskette, you receive the message 'Invalid Drive Specification' and cannot access the C drive. 3) Certain files that are known to be resident on the C DRIVE CANNOT BE SEEN USING THE FILE MANAGER IN WINDOWS BUT are present when viewed under the DOS command DIR. 4) If I scan the C drive with the normal boot (from the c drive) both F-PROT and McAfee SCAN do not pick up any suspected viruses. I was able to eliminate some problems by booting the system normally and issuing the command FDISK /MBR and then shutting the machine down. When I rebooted the system from the A drive I was able to access the C drive. All scans were negative. I kept a copy of a diskette which was suspected of being infected and when I restarted the computer with this disk in the A drive (this was not a system diskette) the symptoms reappeared. It appears that we have a boot sector virus but I am unsure which one, and if it has been completely eliminated. This problem exists on a number of systems and has caused us much grief. Any suggestions? Thanks! MATT SUNY Health Science Center at Brooklyn (AKA Downstate Medical Center) ------------------------------ Date: Tue, 21 Mar 95 21:03:50 -0500 From: jdopp@pipeline.com (Jason Oppenheim) Subject: Norton Anti-virus updates? (PC) Anyone know how I can get the latest virus lists for NAV ------------------------------ Date: Tue, 21 Mar 95 21:45:37 -0500 From: downing@tyrell.net (Paul Downing) Subject: Tequila Virus (PC) Has anyone heard of this virus.. Tequila? A friend has it and we tried McAfee to rid it but to no avail. I'm not sure if he's tried Norton yet. Any help? Paul ------------------------------ Date: Tue, 21 Mar 95 23:04:48 -0500 From: martinr@speedware.com.au (Martin Ravell) Subject: ANTIEXE Virus (PC) Can anybody help me with information on getting rid of the ANTIEXE virus? Macafee Scan tells me it is there but does not have a way of removing it. Clean117 doesn't seem to want to know about it. Any help will be vastly appreciated! Regards Marty ------------------------------ Date: Wed, 22 Mar 95 09:45:02 -0500 From: gtate@ix.netcom.com (Gregg Tate) Subject: New QRRY virus (PC) There seems to be a new QRRY virus out there that not even the most recent (March) versions of F-prot or McAffee can deal with. Does anyone have the cure? I would greatly appreciate any help. Looking forward to hearing from folks, Gregg Tate gtate@netcom.com ------------------------------ Date: Wed, 22 Mar 95 10:28:46 -0500 From: v942427@si.hhs.nl (Rietschoten) Subject: Re: Need Info about viruses? Get VSUM... (PC) You can get vsum through http://www.acs.oakland.edu There's a version of January 95, I believe. > "Microsoft gives you the Windows, OS/2 gives you the whole house!" > The newest microsoft-program is called "MS-SUX" ------------------------------ Date: Wed, 22 Mar 95 11:05:58 -0500 From: "Joseph E. Karolchik" Subject: Help finding WELCOM_B (PC) Anyone know of a virus checker/corrector that fixes WELCOM_B? McAfee doesn't seem to find it, and we're told that we have it somewhere. Thanks in advance! Joe Karolchik Language Dynamics, HRB Systems Linthicum, MD ------------------------------ Date: Wed, 22 Mar 95 12:40:47 -0500 From: njb@csehost.knoware.nl (Niels Bjergstrom) Subject: How many antivirus products does it take? (PC) Ken Kriesel wrote: "After all, if there are 4000 viruses and a given product is 95% effective, that means there are 200 !! known gaps in coverage which is more than I am comfortable with by a long shot." Although your math is not quite correct, this nevertheless is one good reason why *scanning* for vira is not the method to use as your first line of defence against vira, and in any case not as your *only* line of defence. As you corretly point out piling scanners on top of each other quickly becomes cost ineffective, suffering from the law of diminishing returns very quickly. We recommend (file vira): First-line defence - generic behaviour blocker of type that is not a nuisance, i.e. a type which *knows* which programs on your computer are supposed to behave "suspiciously" and do not unnecessarily stop their execution. A system of this type will prevent the virus from infecting anything on the computer. It is an efficient perimeter defence. Second-line defence: A checksummer with adequate stealth avoidance built into it to be effective. This facility quickly detects if the perimeter has been penetrated. Third-line defence: A scanner to be used in case of alarms from one of the other systems. This clarifies *what* is threatening or has penetrated the perimeter of the computer system. Fourth-line defence: Repair utilities to use in an emergency. The ones currently available do not work sufficiently accurately to be part of a preferred solution. Furthermore we recommend using some kind of boot sector/MBR protection device, either hardware or software. In any case *scanning* ranges fairly low on the list. Scanners are easy to write, easy to use, easy to test and easy to use to create a warm and fuzzy feeling - but they are not safe. After television and MS Windows and television, scanning for vira is probably the greatest time-waster invented by mankind... Rgds, Niels Bjergstrom Computer Security Engineers, Ltd. ------------------------------ Date: Wed, 22 Mar 95 13:22:13 -0500 From: "Wendt, Richard" Subject: Stealth B viruses in Atlanta and D.C. (PC) I am with the Agency for Toxic Substances and Disease Registry in Atlanta, Ga. We have encountered the Stealth B virus at this site and another site in the Atlanta area. We have also found the virus at a contractor site in Washington D.C. Can anyone tell me what this virus does? I know that it is a Boot Sector Virus, but I'm not sure of much more than that. Also McAfee doesn't seem to detect the Stealth B virus. I know that Norton will, but will Microsoft DOS 6.0 Scan pick it up and clean it? Any advice you could give me would be apperciated. Rick Wendt RDW2@ATSDHS2.EM.CDC.GOV ------------------------------ Date: Wed, 22 Mar 95 15:04:39 -0500 From: solomon2@GRANDE.NM.ORG (Ken Solomon) Subject: A Known Virus? (PC) A bunch of my friend have been stricken by what appears to be a virus. I'm curious if anyone out there has seen this before and if so if it is a virus and if there is a cure? Symptoms: On boot their computers no longer recognize the hard drive. (On DOS based machines.) They would appreciate any help. Curious in NM. Thanks, Ken. ------------------------------ Date: Wed, 22 Mar 95 16:47:31 -0500 From: ajm@mcs.com (Alan Miller) Subject: Re: need help to get rid of form virus (PC) Tapio Kyllnen wrote: >kiss@csd4.csd.uwm.edu (Toua Xiong) says: >>Hi, can someone help me with the form virus? >>My computer has infected by the form virus and I think infect some of >>my floppy disk too. >>I use the dos 6.2 antivirus to destroy it. But it kept reappear. >>Can someone help? Please reply to me.. thank you.. > First start your computer with clean bootdisk. > Second run F-Prot 2.16 ( if you dont have it, you are in trouble ) > After operation is finished, retunrn to DOS.(MsDos 6.2x ;-) ) > Prompt next -> FDISK/mbr, then turn off your computer, and have a > couple of beer :-) , that's it. I had same problem and this worked. Actually, that's not quite right. I suspect you're cleaning it off your hard disk properly (the above should do it, and the FDISK/MBR shouldn't be needed), but it's still on some of your floppy disks. What you need to do is this: 1) boot from a clean floppy (as above) 2) run f-prot to make sure your HD is clean. 3) copy f-prot to your HD, remove the floppy and reboot 4) run f-prot, and tell it to scan floppy disks 5) put in a floppy, press enter, wait until f-prot prompts you, repeat 6) when you've checked all your floppy disks, exit f-prot 7) install virstop, the antivirus TSR that comes with f-prot. If you're short on memory to load it, you can do this: a) in your config.sys, create a 64K RAM drive b) use the command line option to virstop that tells it to store its virus definitions on disk, and tell it to use the RAM disk. The combination of these two reduces the upper memory requirements of virstop to under 10K, rather than 30+. the RAM disk goes into extended memory, which you probably have plenty of. 8) always remember to take floppy disks out of the drive before you power on your system or reboot. ajm - -- Alan Miller \\ ajm@mcs.com AJM's WWW page ------------------------------ Date: Wed, 22 Mar 95 16:57:59 -0500 From: lee@hp.rmc.ca (Haynes Lee) Subject: What is ThunderBYTE? (PC) In Canada, a recent virus scanner called ThunderBYTE detected a virus on some master disks of a federal budget that were just about to be sent to over 1,000 financial instituions. Previous scans by other virus software detetcted nothing. That particular virus would have screwed up the FAT tables of a disk. Where can one obtain ThunderBYTE? - -- Haynes Lee lee@hp.rmc.ca lee-h@rmc.ca Ruyel Meelitery Cullege-a ooff Cuneda Will encheferize for food. Bork Bork Bork! Disclaimer: I am not a lawyer but I do not plan to be one. ------------------------------ Date: 22 Mar 95 22:47:40 From: david.m.kennedy@CEORD-PM.mail.usace.army.mil Subject: RE: Zingo (Virus-l:8|25) (PC) Some of the CompuServe forums were trying to track down the source of the "Zingo" message for a couple weeks when Aryeh Goretsky from McAfee finally advised that it is embedded in Novell Netware. I don't recall if it was a bug, or some script left behind by one of Novell's developers, or if it was version-specific, but it is _not_ virus-related. Aryeh's seems to have been busy moving around in McAfee and I'm not sure he's consistently able to monitor either this group or the CIS fora. If you need more information, I suggest you email him at: Aryeh@McAfee.COM Regards, Dave Kennedy [US Army MP] aka 73157.2722@compuserve.com dmkennedy@aol.com Volunteer Section Leader Crime/Law/Policy NCSAFORUM on CIS The opinions expressed do not represent official Army policy ------------------------------ Date: Wed, 22 Mar 95 20:27:21 -0500 From: sofsky@midget.towson.edu (Frank Sofsky) Subject: Is This File a Virus? or a legitimate file? (PC) I just ran f-prot newest shareware version 2.16 on my windows directory; It reported a suspicious file "CINSX462.EXE" It did not indicate that it had an actual virus, but is said that it was a useless file that looked suspicious. at the C:\windows prompt I ran the file and what it did was to print screen, but it would not stop printing the screen, I finally had to cold boot the computer to stop printing the screen; I do not want to erase the file ii case it may be a good file, yet if it is a virus I want to get rid of it. Can anyone help me? If this is a legitimate file does anyone know what it is used for? I appreciate all replys, thank you Frank Sofsky sofsky@midget.towson.edu ------------------------------ Date: Wed, 22 Mar 95 21:07:11 -0500 From: bjbru@giskard.rdt.monash.edu.au (Brian Bruinewoud) Subject: Non DOS boot sector infected with JUNKIE, now what? (PC) Thanx to my illustrious friends, I have acquired a junkie virus on my home pc. I cleaned it off using McAfee scan 2.1.3 Evaluation Copy and then re-checked the system using /all once and then again using /boot. Nothing found. Then I rebooted the system and it was back in memory and the *.com files called from autoexec.bat were reinfected. Note, the boot sectors, according to McAfee, were NEVER infected. The only thing I can think of is that it has somehow infected the OS/2 BootManager that I use to choose between MS-DOS, OS/2 and Linux. If this is the case, how can I get rid of it? Also, if that's infected, have the OS/2 and Linux boot sectors also been infected and how do I find out/clean them. I just installed a new version of Linux, I'm not going to take kindly to having to do it again. Can junkie survive in a non-dos environment? Need help, need it soon. -Brian. - ------------------------------------------------------------------------ bjbru@rdt.monash.edu.au 's .sig file is currently unavailable, sorry for any incovenience. - ------------------------------------------------------------------------ ------------------------------ Date: Wed, 22 Mar 95 21:21:47 -0500 From: Matthew Avitable Subject: URKEL virus? (PC) I have just come up against what appears to be another virus at our school. Three different researchers from different departments have had the text string 'URKEL' show up on their screen when using different applications. In all cases this only happened between the hours of 12:00 AM and 2:00 AM. In all the cases, the computer locked up and had to be rebooted. I know this sounds funny, but this is not a joke. I have checked the virus-l mailings for the past two years and have found no reference to this problem. Any suggestions? Thanks! Matt Scientific Computing Center State U. of New York Health Science Center at Brooklyn (AKA Downstate Medical Center) ------------------------------ Date: Wed, 22 Mar 95 22:55:47 -0500 From: moshe_aharon@contcirc.com Subject: AntiExe Virus (PC) Hi I'd like to know if there is a document that describe all the existing viruses and what they do. If someone knows what is the ANTIEXE virus does. Thanks Moshe Aharon Moshe_Aharon@contcirc.com ------------------------------ Date: Thu, 23 Mar 95 07:24:23 -0500 From: swidlake@rl.ac.uk (S Widlake) Subject: Re: HELP !!! Michelangelo Virus !!!!! (PC) XWWC29A@prodigy.com (MR HENRI J DELGER) writes: >Michelangelo is a floppy diskette Boot Sector and hard disk Partition/MBR >infector, and has spread widely since being discovered in April, 1991. >It is potentially destructive, since variants will destroy data on the hard >disk, and on floppies, on March 6 as well as other dates. . [Munch] ... >The virus begins overwriting at the the start of the disk (the location of >the Partition/MBR, Boot, File Allocation Tables, and Directory). After the >user realizes that something is wrong, turns power off, and re-boots from a >floppy, trying to access the hard disk results only in "Invalid Drive >Specification." >At that point, exactly how much data was lost depends on how long it took >to turn the power off. If the power is turned off quickly enough, the >virus can be prevented from completing its job. Files located beyond the >point at which the overwriting stopped (especially D: E: drives, if they >existed) would still remain. A data recovery service could recover such >data, but their services aren't cheap. Why not ask a PC "hobbyist" (I was going to say "amateur" but I can't spell that :) to have a look at it - "they" can do almost as good a job as a pro. sooner and much cheaper. In the case of having unaffected extended volumes D: E: etc... on the drive, simply wiping out the MBR (because it contains junk) and using something like Norton's to scan the drive for lost volumes may get all BUT C: back again. If only the very "front" (FAT's and Root) of the drive have been affected then restoring the MBR [ You do have a copy? Got an anti-virus "recovery" disk? That'll do nicely. ] and then using the unformat program ON C: may get a lot back... if you've been using mirror. >Those prudent enough to keep their backups current can simply run the FDISK >and FORMAT C: /S commands, and then RESTORE the backup. However, if the >backup is old, or if there isn't one at all, it is still possible to >retrieve those files which remain intact on the hard disk, using the >following method: NO - Do not use... > 1> Use FDISK to re-partition the hard disk EXACTLY as > it was originally, including the extended partition > and logical drives, if any. You'd better be VERY sure about this before you try it. I've always found FDISK to be destructive - only "slightly" but deffinately destructive - it has this tendancy to null (00) out sector 0 on each head of the first few cylinders of each partition created (making way for boot sectors etc.) so if you try to use it to recreate a lost partition table FDISK will cause further damage to recoverable data making it much less recoverable ;-( > 2> Then run FORMAT C: but when DOS asks "All data will > be lost! Continue Y/N?" you =MUST= answer "N." If you're not going to actually _run_ format why bother running format? You've lost me... this makes no sense - unless of course format writes out a boot sector before actually formatting, which I doubt... Anyone? > 3> Then run the DIR command. > 4> If a listing of files appears, backup immediately. If so you've been very lucky... or have you? How much of you're FAT's are left intact... Does "CHKDSK C:" [Do not use the "/f" switch] check out OK? > 5> The hard disk can then be made bootable with SYS C: > 6> After that, the virus must also be removed from > diskettes to prevent possible future re-infection. Yes. You must check and, if neccessary clean, all of your floppy diskettes - - ALL of them... unless you're happy to go though this again, next year. Let's be careful out there. S. - - -- sig II Still Under Construction ... ------------------------------ Date: Mon, 20 Mar 95 19:55:15 -0500 From: mallen@condor.dgsca.unam.mx (Guillermo Mallen) Subject: qwxyc01.zip - Removes WXYC virus from HDs and diskettes (PC) I have uploaded to SimTel, the Coast to Coast Software Repository (tm), (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): ftp://oak.oakland.edu/SimTel/msdos/virus/qwxyc01.zip SimTel/msdos/virus/ qwxyc01.zip Removes WXYC virus from HDs and diskettes This program removes the WXYC (PC) virus from hard disks and diskettes that common antiviral programs fail to remove. Special requirements: None Uploaded by the author. Guillermo Mallen mallen@servidor.unam.mx ------------------------------ Date: Tue, 21 Mar 95 12:20:27 -0500 From: "BARRY M. BROOKS" Subject: Norman Data Defense Systems Introduces Free Service 21-MAR-1995 08:04 NORMAN AUTOMATIC VIRUS ANALYSIS SYSTEM UNVEILED NORMAN DATA DEFENSE SYSTEMS INTRODUCES FREE SERVICE TO ANALYZE FILES SUSPECTED TO BE INFECTED WITH COMPUTER VIRUSES FOSE '95, WASHINGTON, March 21 -- Norman Data Defense Systems, Inc. has introduced the Norman Automatic Virus Analysis System, a free-of-charge public service which analyzes, identifies and reports on files suspected to be infected with a computer virus, as a means of educating computer users about the growing threat of computer viruses. "Norman Data Defense Systems has a responsibility, as a leading data security provider, to educate the public about the alarmingly-growing threat of computer viruses," said David Stang, Ph.D., President of Norman Data Defense Systems. "With more than 8,000 known viruses in existence -- a number likely to double over the next eight months -- virus awareness and education are essential first steps in data defense." The Norman Automatic Virus Analysis System can be accessed at Norman's Firewall at its North American headquarters in Fairfax, Virginia through anonymous ftp (ftp.norman.com), or through Norman's BBS at 703-573-8990, or through conventional mail. Users can forward suspected files to the service even if no anti-virus scanner has recognized the virus, or if the virus has encrypted the file. In response, if there is a virus present, the Norman Automatic Virus Analysis System will analyze the file and generate a Norman Virus Analysis Report -- a detailed virus report, forwarded to the user upon request at no cost, identifying the virus, its origin and nature, and possible methods of removal. Norman Data Defense Systems is a multi-national corporation which focuses on just one task: defending corporate and government computerized information. With offices in Europe, North America, Asia, and Australia, Norman is well-positioned to cope with the growing global threats to computerized information. For more details, contact Norman Data Defense Systems at Tel: 703-573-8802, Fax: 703-573-3919, BBS: 703-573-8990, Internet: norman@digex.com, or CompuServe: 100317,353 or GO NORMAN. -0- 3/21/95 /CONTACT: Eileen Pacheco, 617-467-1576 or Internet: 491-1694@mcimail.com ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 29] *****************************************