VIRUS-L Digest Thursday, 13 Apr 1995 Volume 8 : Issue 33 Today's Topics: RE: Norman Data Defense Systems Introduces Free Service virus requests Clean for DEI? (PC) genb virus, how to kill it? (PC) Has anyone got info on SATURN? (PC) RE: NOINT virus (PC) RE: Tequila Virus (PC) NOINT virus (PC) Re: HELP!! DH2 Virus (PC) Re: Norton Anti-virus updates? (PC) I believe in invircable now.... (PC) Windows & McAfee 2.17 (PC) Stealth Boot Virus (PC) Re: Stealth B viruses in Atlanta and D.C. (PC) LiXi (PC) Flash ROM virus questions (PC?) RE: Infected by New Floppy? (PC) Re: HELP !!! Michelangelo Virus !!!!! (PC) Re: Can a virus kill a hard drive? (PC) Unknown Virus?? (PC) Non DOS boot sector infected with JUNKIE, now what? (PC) a virus? new? old? (PC) Re: What is ThunderBYTE? (PC) NT Anti-Virus Software (PC) Cleaning DA'BOYS virus. (PC) "_1099" virus (PC) NAV (PC) NO-INT (PC) NYB virus (PC) "SW Error" - is this a virus? (PC) Re: help [Whis] virus (PC) Re: How to remove Filler virus? (PC) Re: NOINT virus (PC) Re: How to get rid of NOV(EMBER) 17 virus (PC) Re: Norton Anti-virus updates? (PC) Re: Tequila Virus (PC) Disinfectant for PC? (PC) Re: Memory, CMOS, printers etc. (was FAQ and questions) (PC) Re: What is ThunderBYTE? (PC) Re: ATTN: McAfee doesn't find ANTIEXE (PC) Viruses with no payload (PC) Non detectable viruses (PC) 2KB Virus (PC) Re: .DLL files are disappearing. Have I got a virus? (PC) Re: Virus that screws up WFWG 32-bit disk access? (PC) VirusScan (PC) F-prot (actually virstop) incompatibilities? (PC) Help, I can't get rid of B1 virus! (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 31 Mar 95 03:50:54 -0500 From: gcluley@sands.co.uk Subject: RE: Norman Data Defense Systems Introduces Free Service "BARRY M. BROOKS" wrote: > 21-MAR-1995 08:04 NORMAN AUTOMATIC VIRUS ANALYSIS SYSTEM UNVEILED > > NORMAN DATA DEFENSE SYSTEMS INTRODUCES FREE SERVICE > TO ANALYZE FILES SUSPECTED TO BE INFECTED WITH COMPUTER VIRUSES For the last seven years, S&S International - developers of Dr Solomon's Anti-Virus Toolkit - has offered the same free service; anyone who suspects that there is a virus in a file or on a disk, can send it to us for analysis. This is part of our normal technical support service. We would expect that it would be part of the technical support service of any anti-virus vendor. We would be quite surprised if any anti-virus vendor lacked such a service; obviously if they did lack such a service, they would have to introduce it. Sometimes, we find that a suspected virus situation is just a hardware or software problem, and if we are given enough information about the situation, we can sometimes solve these non-virus problems too (although we do not primarily set out to do so). One good example, was when a user was running CHKDSK from Dos 1.1 on a Dos 5 hard disk. That copy of Chkdsk was unable to determine that it was running on a more advanced version of Dos, and was unable to understand the environment that it was running in. Consequently, whenever it was run, it reduced files to 2Kb in size. The user thought that this was a symptom very similar to a virus, and sent us some sample 2kb files. There was no virus in those files, and it was only when we spotted a COMMAND.COM that was less than 5kb in size in a subdirectory, that we got a clue to the problem. Such a small COMMAND.COM means Dos 1.1, and the copy of Chkdsk was similarly small, and the culprit was thus located. I am pleased to see Norman Data Defense introduce this service - if any other anti-virus vendors do not currently offer such a service I would urge them to introduce it also. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, UK Tel: +44 (0)1296 318700 Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International PLC, UK USA Tel: +1 617 273 7400 CIS Tech Support: GO DRSOLOMON USA Support: 72714.2252@compuserve.com ------------------------------ Date: Sat, 01 Apr 95 22:21:32 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: virus requests Bill Lambdin writes: > You may or may not believe the number of requests that I have received > from users wanting viruses. I believe it. It happens to me every day :-( > I only send specimens to A-V developers and A-V Researchers that I know > and trust. I will not give a virus to anyone that I do not know and > trust unless an A-V developer or A-V researcher that I trust will vouch > for them. Good practice. Never give viruses out to someone you do not know. There are enough viruses in the public domain already. > If other A-V reseachers or A-V developers know and trust you. Ask them > for a specimen because you will not get a specimen from me. There are a few packages that illustrate the virus problem graphically, and in a safer environment. People wishing to learn more about viral activity can start with Virlab and AVP. They are both shareware packages. The latter is a good AV program which also has some virus demonstrations in it. Regards, Israel READERS OF VIRUS-L AND COMP.VIRUS ARE WELCOME TO CONTACT ME DIRECTLY. ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Fri, 31 Mar 95 01:36:01 -0500 From: jch9@po.cwru.edu (Jackson Harvey) Subject: Clean for DEI? (PC) My computer was infected with DEI. I formatted and restores everything, but I was wondering if there was an AV product that cleaned this virus. (Just in case someone else gets it). Thanks, Jackson Harvey +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Jackson Harvey | (216)754-1727 | Secretary - Class of 1995 | EEAP-CWRU "Almost everything in life is easier to get into than out of." - Agnes' Law - - -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ------------------------------ Date: Fri, 31 Mar 95 03:15:04 -0500 From: moss@xs4all.nl (moss) Subject: genb virus, how to kill it? (PC) Our virus scanner detected a virus called GENB on a diskette and on our harddisks. Although no damage to data yet has been done, the virus seems hard to kill. Does anybody know how to get rid of it? Some of us are getting nervous. Thanks, Rob van der Meer ------------------------------ Date: Fri, 31 Mar 95 03:23:36 -0500 From: lorna@merlion.singnet.com.sg (Lorna Leong ) Subject: Has anyone got info on SATURN? (PC) Hi, I've just heard that SATURN will be turning up on the 5th of April, or something like that. Can someone please provide me with more information on SATURN? Or let me know where I can find information? Thank you very much. Lorna - -- ------------------------------ Date: Fri, 31 Mar 95 03:50:50 -0500 From: gcluley@sands.co.uk Subject: RE: NOINT virus (PC) Ann Wachtler writes: > I know that I have the NOINT virus on one of my floppy disks. > Mcaffe antivirus confirmed this. But, for some reason, > neither Norton Antivirus nor MWAV will detect it. > Also, is there some way to clean the disk, short of > formatting it??? You need to replace the boot sector code on the floppy disk with clean code. A utility such as CleanBoot, from Dr Solomon's Anti-Virus Toolkit, can do this. You may also like to check other disks to see if the virus has spread. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, UK Tel: +44 (0)1296 318700 Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International PLC, UK USA Tel: +1 617 273 7400 CIS Tech Support: GO DRSOLOMON USA Support: 72714.2252@compuserve.com ------------------------------ Date: Fri, 31 Mar 95 03:50:46 -0500 From: gcluley@sands.co.uk Subject: RE: Tequila Virus (PC) Paul Downing (downing@tyrell.net) wrote: > Has anyone heard of this virus.. Tequila? Yes - I think just about everyone has heard of Tequila. :-) > A friend has it and we tried McAfee to rid it but to no avail. I'm not > sure if he's tried Norton yet. Any help? When an infected EXE file is run, the Tequila virus installs itself on the partition sector and on five sectors at the end of the partition (Tequila patches the partition data to reduce the length of the partition by six sectors). When the PC is next booted, the virus goes memory resident and infects EXE files (except those with a V or SC in the name, thus avoiding anti-virus programs like VIR???? or ???SCAN which are often self-checking). 2468 bytes are added to infected files. Tequila is polymorphic and uses stealth. If it is memory resident, it conceals the increase in file size: in addition, if the partition sector is examined, the virus displays the original, clean partition sector. However, it does not stealth the five sectors at the end of the partition (including the original, clean paritition sector). If an infected program is run three months after the partition sector became infected, the virus displays a large coloured graphic and, at the tope of the screen, the text Execute mov ax, FE03/int21. Key to go on If these instructions are executed, the following text is displayed: Welcome to T.TEQUILA'S latest production. Contact T.TEQUILA/P.o. Box 543/6312 St'hausen/Switzerland. Loving thoughts to L.I.N.D.A. BEER and TEQUILA forever! (this text may be found in one of the sectors at the end of the partition). Dr Solomon's Anti-Virus Toolkit can certainly repair Tequila virus infections, and I would be surprised if most other anti-virus programs couldn't do the same. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, UK Tel: +44 (0)1296 318700 Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International PLC, UK USA Tel: +1 617 273 7400 CIS Tech Support: GO DRSOLOMON USA Support: 72714.2252@compuserve.com ------------------------------ Date: Fri, 31 Mar 95 07:32:25 -0500 From: netz@actcom.co.il (Zvi Netiv) Subject: NOINT virus (PC) targtace@ix.netcom.com (Ann Wachtler) wrote: > I know that I have the NOINT virus on one of my floppy disks. Mcaffe > antivirus confirmed this. But, for some reason, neither Norton > Antivirus nor MWAV will detect it. Also, is there some way to clean the > disk, short of formatting it??? Pick the NetZ utilities package on one of the ftp's in the signoff banner, or in the InVircible forum on Compuserve. You'll find the FIXBOOT utility in it. Process your floppies with it and all boot infectors will be gone, not just NO_INT, without ruining the floppy's content. When processing bootable floppies take care to use the /IBM switch if they contain PC-DOS, DR-DOS or Novell DOS. MS-DOS 4+ are taken care of automatically. It's worth taking the InVircible package if you visit at these sites. It will help keeping your machine stay out of trouble. :-) Regards, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il antivir@netcom.com CompuServe `GO InVircible' ftp.datasrv.co.il/pub/usr/netz/ ftp.netcom.com/pub/an/antivir/invircible/ - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 31 Mar 95 07:34:33 -0500 From: netz@actcom.co.il (Zvi Netiv) Subject: Re: HELP!! DH2 Virus (PC) knoxcj@elec.canterbury.ac.nz (c.j. knox) wrote: > I too have a friend with an infected computer. Virus scanner claims > DH2 is present, and nearly all *.COM and *.EXE files have been infected > (size has increased by 4kB). Are there any anti-virus packages specific > to DH2? > Would prefer not to have to use "format c: /u". There is no need to format the hard drive as HD2 can be removed easily and safely without leaving traces. Besides, formatting is never the solution for a virus problem, as you may find that your backups contain infected files. Die Hard (DH2) is a full stealth file infector. This property can be used to clean DH2 by cooperative generic restoration. You will need InVircible's integrity analyzer and generic recovery module, IVB. The principle involved is quite simple. If you create the database needed for the recovery of files while a full stealth infector is active in memory, then the database will reflect the non-infected status of the files. This is the intrinsic nature of full stealth viruses. The procedure goes as follows: - - Run IVB/S ("secure files" - create a new database) with the virus active in memory. IVB will alert there is piggybacking going on. Of course there is, DH2 is a fast infector. Ignore the warnings! :-) - - When done with the whole drive, reboot from a clean DOS floppy and run a clean copy of IVB (the one on the hard drive is infected) from the _registered_ distribution floppy with the command: IVB C: /R ("restore"). The drive will be clean in less than five minutes. :-) By the way, the above procedure was labeled by Dr. Keith Jackson as "plain stupid advice", in the review he wrote on IV in the Virus Bulletin, December 94. :-) Cooperative generic recovery will work properly only against full stealth viruses. There are quite many of them, such as NATAS, Tremor and the newer Hemlock, brand new from Australia. InVircible will also help you in finding the source where from the infection started. Read in the documentation and in the on-line help how to use the hyper-correlator, IVX. Best regards, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il antivir@netcom.com CompuServe `GO InVircible' ftp.datasrv.co.il/pub/usr/netz/ ftp.netcom.com/pub/an/antivir/invircible/ - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 31 Mar 95 08:49:29 -0500 From: msnipas@osf1.gmu.edu (MICHAEL SNIPAS) Subject: Re: Norton Anti-virus updates? (PC) Jason Oppenheim (jdopp@pipeline.com) wrote: : : Anyone know how I can get the latest virus lists for NAV Virus definitions are uploaded monthly by.... Symantec BBS /Go NAV CompuServe GO SYMVIRUS American On Line Industrial Connection Symantec Internet: FTP ftp.symantec.com/public/windows/nav Internet: World Wide Web www.symantec.com/public/windows/nav You could also contact Symantec Customer Service at 1-800-441-7234 USA I hope this helps. ------------------------------ Date: Fri, 31 Mar 95 09:09:44 -0500 From: v942427@si.hhs.nl (Rietschoten) Subject: I believe in invircable now.... (PC) I while ago, I posted a message, because irvircable popped up a message that a had a 'faked partition table'. No other scanner (not mcaffe, not tbav and not fprot, all newest versions) has shown anything weird about my system.... No validation codes had been changed, but invircable made me take a second look.... Checkdisk had shown that I was missing 4 kb of low memory, so I rebooted with a clean disk, and checked again. I had the missing 4 kb. I started tbav from this clean boot-disk, which showed me a message saying "Unknown boot sector virus found". I feared for my data..... Hacking into the boot sector with norton diskedit gave me clues that what I found was not a virus, but a hard-disk driver I had installed some time ago... The manual of the software did not say that it wrote to the bootsector, only that it would try to change some CMOS parameters..... A .sys driver was also included, but when I started this driver it said to use the install.exe (which didn't use the .sys driver, but wrote to the boot-sector!!!!) Why the F@##@ don't the programmers include a description of the program (I like to know if a program 'infects' my bootsector!). Is it ethical for a driver-program to write to the boot-sector at all? But most of all..... Why didn't tbav find anything weird when booted from the harddisk. but complained about a 'unknown bootsector virus' when booted from a 'clean' disk? Invircable told me the truth, it said that some program messed with my partition table, no nonsonse about "VIRUS FOUND!!!@! TURN OF YOUR COMPUTER BEFORE IT EXPLODES NOW!!!" if there's no virus there... Is invircable realy the only program that checkes partition tables? Why don't others then? Well, lots of questions..... hope some of you gurus have lots of answers for me... Thanks a lot people, "haagse harrie" Dimar from the cold, but beautiful Netherlands ------------------------------ Date: Fri, 31 Mar 95 09:21:24 -0500 From: ---GEORDIE--- Subject: Windows & McAfee 2.17 (PC) I've recently downloaded the new verison of Mcafee 2.17, This was an upgrade from 1.16. So the new features which I have seen are more user friendly. I've got only one problem. Its Vshield. The system IBM APTIVA 486 SX2 50 DOS 6.2 WINDOWS 3.11 (WFWG) Mcafee 2.17 F-Prot 2.14 Thunderbyte 2.16 (I think, well the newest one anyway!) 4mb RAM 270 mb HD Ok well when i load windows i check to see if vshield is loaded using the vshield message manager supplied with Mcafee. Its says that it's not installed. The only way I can get vshield to show that it is install is if I load windows without 32 bit disk or file access. My computer has a 32 bit VESA HD controller so I supose the computer can handle this kind of access. Does Mcafee have problems with 32 bit access??? If so can this be fixed??? Or what do you think the problem is?? Also this may or may not be related to Mcafee I'm not sure.. Almost half the times I load windows it hangs.. It gets to the program manager screen and then hangs, I can't move the mouse I can't quit and I can't soft boot. Being and IBM Aptiva I have to turn the power off and back on again.. Any ideas to the problem.. Anyhelp appriaciated.. Answers By E-MAIL please.. Yours Martin Rowan BEng (Hons) Computer Hardware & Software Engineering, Coventry University ,,, ''~`` I BET YOUR GLAD NOW AS ( o o ) YOU'VE BEEN MAILED BY: +------------------.oooO--(_)--Oooo.------------------+ | Martin Rowan EMAIL: | | .oooO mrowan@cov.ac.uk | | GEORDIE ( ) Oooo. | +---------------------\ (----( )--------------------+ \_) ) / (_/ ------------------------------ Date: Fri, 31 Mar 95 09:38:41 -0500 From: "Thomas X.Grasso" Subject: Stealth Boot Virus (PC) Hello, I have found a virus that McAfee ViruScan identifies as "STEALTH_C". All but one of the characteristics of this virus match those described in one reference for a virus called "Stealth.B" and another reference as "Stealth Boot.C". Both descriptions indicate that this virus will occupy 4096 bytes of conventional memory evident by the CHKDSK command which will display 651,264 bytes of total memory instead of the normal 655,360 bytes. However, the virus I have occupies 5120 bytes with CHKDSK showing 650,240 bytes of total memory. My question is: has anyuone else come across this particular virus ? I am concerned that it may be more damaging than Stealth.B or Stealth Boot.C. Thanks for your time, =-------------------------------------=---------------------------------= | Thomas X. Grasso, Jr. | Dames & Moore | | Network Analyst | 270 West Main Street | | CompuServe: 70404,1103 | Springville, New York 14141 | | Internet: grassot@wvdp.com | Voice: (716) 592-0026 | | BBS: (716) 646-5438 | Fax: (716) 592-0001 | =-------------------------------------=---------------------------------= ------------------------------ Date: Fri, 31 Mar 95 09:40:11 -0500 From: "Thomas X.Grasso Jr." Subject: Re: Stealth B viruses in Atlanta and D.C. (PC) >Ga. We have encountered the Stealth B virus at this site and another site in >the Atlanta area. We have also found the virus at a contractor site in > >Can anyone tell me what this virus does? I know that it is a Boot Sector >Virus, but I'm not sure of much more than that. Also McAfee doesn't seem to >detect the Stealth B virus. I know that Norton will, but will Microsoft >DOS 6.0 Scan pick it up and clean it? The information I have on a virus called Stealth Boot.C or Stealth B indicates that this is a boot sector and full stealth virus. It infects the MBR of hard drives and DOS boot sector of floppy disks. It is transmitted from floppy to PC when an infected floppy disk is booted from. Any floppy used in an infected PC will become contaminated unless it is write protected. On an infected PC it will occupy 4 k of conventional memory. According to the info I have this virus is "not intentionally damaging". However, while memory resident it may cause problems with memory managers and interfere with the operation of Windows. I encountered this virus last week so I have been trying to gather a much information as possible. The one problem I have is that all the references I have come across thus far indicate that while memory resident the virus will occupy 4 k of memory. The virus I have occupies 5 k. So I may have a varient or perhaps something completely different. =-------------------------------------=---------------------------------= | Thomas X. Grasso, Jr. | Dames & Moore | | Network Analyst | 270 West Main Street | | CompuServe: 70404,1103 | Springville, New York 14141 | | Internet: grassot@wvdp.com | Voice: (716) 592-0026 | | BBS: (716) 646-5438 | Fax: (716) 592-0001 | =-------------------------------------=---------------------------------= ------------------------------ Date: Fri, 31 Mar 95 09:45:33 -0500 From: "Dale S. Tucker" Subject: LiXi (PC) Looking for information on the LiXi virus... where it came from & howw to detectt Thx, Dale ------------------------------ Date: Fri, 31 Mar 95 14:49:10 +0000 From: Poon Jacob Tin Hang Subject: Flash ROM virus questions (PC?) Recently many motherboards uses flash ROM BIOS so that they can be upgraded via software. My questions are: Will virus attack flash ROM BIOS the way it attacks disks? In other words, are they safe from viruses? Are there any viruses available that attacks flash ROMs? Are there any products that can detect and/or remove flash ROM viruses? Thanks in advance. ------------------------------ Date: Fri, 31 Mar 95 10:21:06 -0500 From: gcluley@sands.co.uk Subject: RE: Infected by New Floppy? (PC) T.M. Haddock (tmh2708@decster.uta.edu) wrote: > A co-worker seems to have gotten a brand new preformatted floppy that > was infected. Is this possible? Yes. > He opened a sealed box of performatted Maxell MF2HD (i274G08) disks and > put one into one of our lab machines. VIRSTOP popped-up and alerted him > to the presence of the Stone/Empire/Monkey virus. I would suggest you contact your disk supplier. You may not have been the only person to have received an infected floppy. > We scanned the rest of disks from the same box, as well as all of his > other disks and the lab machines, but none were found to be infected. > > Any ideas? One possibility, though it must be realised this is purely conjecture, is that one disk was taken out of the pack at some point to be QC'd. Maybe it was checked for data errors on an infected machine and that's when the virus jumped on. That way, the virus would only be on one of the disks in the box. I think the general message here is that preformatted disks aren't worth the extra money for the tiny amount of time they might save. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, UK Tel: +44 (0)1296 318700 Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International PLC, UK USA Tel: +1 617 273 7400 CIS Tech Support: GO DRSOLOMON USA Support: 72714.2252@compuserve.com ------------------------------ Date: Fri, 31 Mar 95 11:27:27 -0500 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: HELP !!! Michelangelo Virus !!!!! (PC) S Widlake (swidlake@rl.ac.uk) wrote: > XWWC29A@prodigy.com (MR HENRI J DELGER) writes: > >Michelangelo is a floppy diskette Boot Sector and hard disk Partition/MBR > >infector, and has spread widely since being discovered in April, 1991. > >It is potentially destructive, since variants will destroy data on the hard > >disk, and on floppies, on March 6 as well as other dates. > >Those prudent enough to keep their backups current can simply run the FDISK > >and FORMAT C: /S commands, and then RESTORE the backup. However, if the > >backup is old, or if there isn't one at all, it is still possible to > >retrieve those files which remain intact on the hard disk, using the > >following method: > NO - Do not use... Except as a method of last resort (you can't afford professional help or a copy of e.g., Norton). > > 1> Use FDISK to re-partition the hard disk EXACTLY as > > it was originally, including the extended partition > > and logical drives, if any. > You'd better be VERY sure about this before you try it. I've always found > FDISK to be destructive - only "slightly" but deffinately destructive - it > has this tendancy to null (00) out sector 0 on each head of the first few ^^ ^^^^^^^^ F6h in my experience, but equally destructive. And that's Sector 1, (of the first few Cylinders _and_ HEADS) since we're talking in BIOS-speak, not DOS logical sectors. > cylinders of each partition created (making way for boot sectors etc.) so > if you try to use it to recreate a lost partition table FDISK will cause > further damage to recoverable data making it much less recoverable ;-( ^^^^^^^^^^^^^^^^^^^^^ _Much_? Not compared to the 8.9 Meg Michelangelo has zapped already. When I tried creating a partition with FDISK on a "scratch" machine under a debugger, it wrote to disk 25 times (I think) for a total of 12.5K. Assuming that we're talking about the beginning of the drive (Cyl 0 up to 255), not much is being overwritten that Mich didn't get already. I grant that heads numbered 4 or greater will have Sector 1 overwritten, that a lot of it will be FAT, and that one (or two if you're unlucky) block of the root directory gets lost too, but if one is looking for a cheap fix.... Anyway, I agree that this is a method of last resort, but it's not nearly as bad a picture as you paint. > > 2> Then run FORMAT C: but when DOS asks "All data will > > be lost! Continue Y/N?" you =MUST= answer "N." > If you're not going to actually _run_ format why bother running format? > You've lost me... this makes no sense - unless of course format writes out > a boot sector before actually formatting, which I doubt... Anyone? Yeah, that's what I thought, too, until I tried it. Damndedst thing, because it worked, but there were no writes to disk! My guess is that FORMAT builds its own BPB and places it in the BIOS hard drive descriptor table (pointed to by Int 41, I suspect). Then step 3 and 4 actually may generate **some** usable files. (Doing a DIR before running FORMAT generates an 'Invalid drive specification' message, if I remember correctly.) > > 3> Then run the DIR command. > > 4> If a listing of files appears, backup immediately. > If so you've been very lucky... or have you? How much of you're FAT's are > left intact... Does "CHKDSK C:" [Do not use the "/f" switch] check out > OK? ^^^^^^^^^^^^^^^^^^^^^^^^^^ Probably not. If it does have no errors, then quit your job and start playing the ponies or the Market, 'cause you're the luckiest SOB on the planet. If it has problems, then again, whaddya expect for nothin'? (Oh, and don't run CHKDSK from the hard drive, or it may well hang. I suppose the corruption of the hard disk might make it crash when run from a floppy, but the diskette route is much more likely to be successful.) Sage advice about /F. Never ever ever use CHKDSK /F unless a) you know what you're doing and b) you understand exactly what is wrong. I can create an example where CHKDSK /F make things worse (unless you turn off the machine or reboot before CHKDSK has a chance to write its changes) no matter what answers you might give to its prompts, if any. I'll be happy to prove it, but not here and now. > > 5> The hard disk can then be made bootable with SYS C: > > 6> After that, the virus must also be removed from > > diskettes to prevent possible future re-infection. > Yes. You must check and, if neccessary clean, all of your floppy diskettes > - - ALL of them... unless you're happy to go though this again, next year. > Let's be careful out there. Indeed -- to both of the above. -BPB ------------------------------ Date: Fri, 31 Mar 95 11:50:23 -0500 From: netz@actcom.co.il (Zvi Netiv) Subject: Re: Can a virus kill a hard drive? (PC) dhill@sw.stratus.com (David Hill) wrote: > A friend of mine and I were recently infected with the monkey_b virus. I was able > to clean it out pretty easily, but he wasn't quite as lucky. > His hard drive became unreadable while he was trying to clean the virus away. > When he did 'scan c:', it gave him an error indicating that c: was no longer > there. This computer is not very old and he had also had a couple problems with > his BIOS values going away, so the company that sold him the system replaced the > battery about three weeks ago. We thought this might be somehow related and > brought it to them. They called him back yesterday and told him that his computer > had also been infected by the natv (?) virus and that there was a very good chance > that the hard drive is dead and he will have to buy a new one. This doesn't > really sound right. It sounds more like a company trying to avoid responsibility > for a faulty product. Does anybody know what the natv virus does and if this is > possible? This seems like something ResQdisk (from the InVircible package) can handle. First, a quick assessment of what happened. It started as you indicate with the Monkey virus. The cleaning program probably failed in writing the mbr, and the drive is no more accessible. It's possible that the problem got worse due to a CMOS battery failure. The net result is the loss of access to the hard drive for either one of the reasons above, or for both of them. Get a copy of the RESQDISK.ZIP package from one of the sites in the signoff banner. Read the attached ResQdisk.txt file and make a note of the hotkeys. The following are general instructions of how to recover access to a hard drive, with the specifics about Monkey. Boot clean from a DOS floppy and then run RESQDISK. Press F5 and you'll see the manufacturer's IDE parameters (if it's an IDE). Watch that the IDE tables, and the CMOS ones fit, at least as for the capacity of the drive. If they don't, then write down the manufacturer's parameter and set them in the CMOS, under "User Type". Now reboot. If you can access drive C then good. If not, then run RESQDIK again. It may sometimes happen that ResQdisk will indicate "cannot read sector". This means that some erratic write messed with the mbr's CRC. To reset the CRC and make the sector readable (and writeable) just run FDISK/MBR a couple of times, it will do the trick (and zero out the partition data). If the sector is still unreadable then you simply got a hardware failure. Now go to sector 0,0,3 with the down arrow. This is where Monkey stored the encrypted copy of the original mbr. Press ^E (edit) and select "decrypt". You should now see the original mbr in full splendor. :-) Press ^A (analyze) and select "As partition". It should show sensible data. If you multiply the "total sectors in partition" by 512, it should equal the capacity of the drive. Go to sector 0,0,1 with the Home key (the mbr) press ^E and "Write". The last operation reinstated the original mbr wher it belongs. Now reboot, most chances are that you got your drive back. :-) ResQdisk is just one module of InVircible, an anti-virus and disaster recovery software suit. Install IV, make a rescue diskette (see in the on-line help) and enjoy ongoing safe computing without sacrificing a bit of your computer's performance or resources. Regards, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il antivir@netcom.com CompuServe `GO InVircible' ftp.datasrv.co.il/pub/usr/netz/ ftp.netcom.com/pub/an/antivir/invircible/ - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 31 Mar 95 11:50:20 -0500 From: netz@actcom.co.il (Zvi Netiv) Subject: Unknown Virus?? (PC) Matthew Avitable @UBVM.CC.BUFFALO.EDU wrote to all: > We appear to be infected with an undetectable virus - the symptoms are: "Undetectable virus" is the forte of InVircible. :-) > 1) If you format a diskette on the A drive, the diskette > either becomes unreadable, or you are told that the is > INSUFFICIENT SPACE ON THE DISKETTE TO SAVE A FILE. > 2) If you try to scan the computer by booting it from a > clean diskette, you receive the message 'Invalid Drive > Specification' and cannot access the C drive. > 3) Certain files that are known to be resident on the C > DRIVE CANNOT BE SEEN USING THE FILE MANAGER IN WINDOWS BUT > are present when viewed under the DOS command DIR. Before going on a wild goose chase, are you sure that you don't have one of the large capacity IDE that require a special driver to be recognized ? Because if it's not, then you definitely have a virus. To this point, it's either a mbr infector or a multipartite one. > 4) If I scan the C drive with the normal boot (from the c > drive) both F-PROT and McAfee SCAN do not pick up any > suspected viruses. Now you really got me intrigued. > I was able to eliminate some problems by booting the system > normally and issuing the command FDISK /MBR and then shutting the > machine down. When I rebooted the system from the A drive I was > able to access the C drive. All scans were negative. I kept a copy > of a diskette which was suspected of being infected and when I > restarted the computer with this disk in the A drive (this was not > a system diskette) the symptoms reappeared. It appears that we have > a boot sector virus but I am unsure which one, and if it has been > completely eliminated. This problem exists on a number of systems > and has caused us much grief. Any suggestions? Get a copy of InVircible from one of the sites mentioned bellow and install it on all machines, in "sentry" mode. You'll have all the characteristics of the virus in no time, except its name. Maybe it hasn't one, yet. :-) InVircible will suggest how to remove the virus as soon as it senses it's characteristics. Seems that the ResQdisk module will suffice to get rid of this one. It coulld be interesting to analyze the infected diskette. Please contact me via e-mail. Regards, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il antivir@netcom.com CompuServe `GO InVircible' ftp.datasrv.co.il/pub/usr/netz/ ftp.netcom.com/pub/an/antivir/invircible/ - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 31 Mar 95 11:50:30 -0500 From: netz@actcom.co.il (Zvi Netiv) Subject: Non DOS boot sector infected with JUNKIE, now what? (PC) bjbru@giskard.rdt.monash.edu.au (Brian Bruinewoud) wrote about Non DOS boot sector infected with JUNKIE (PC) > Thanx to my illustrious friends, I have acquired a junkie virus on my > home pc. I cleaned it off using McAfee scan 2.1.3 Evaluation Copy > and then re-checked the system using /all once and then again using > /boot. Nothing found. > Then I rebooted the system and it was back in memory and the *.com files > called from autoexec.bat were reinfected. Note, the boot sectors, > according to McAfee, were NEVER infected. The reinfection most likely occurs through the master boot sector. Junkie is one of the most efficiently spreading multipartite. If a single infected COM file ran from the hard drive, then the mbr is definitely infected. > The only thing I can think of is that it has somehow infected the OS/2 > BootManager that I use to choose between MS-DOS, OS/2 and Linux. If this > is the case, how can I get rid of it? Also, if that's infected, have the > OS/2 and Linux boot sectors also been infected and how do I find > out/clean them. I just installed a new version of Linux, I'm not going > to take kindly to having to do it again. Can junkie survive in a non-dos > environment? Junkie isn't surviving a non-dos boot, nor did it infect the OS/2 boot manager. What most likely happened is that somehow an infected copy of the DOS mbr got into your boot manager, and gets reinstated every time you switch from OS/2 (or Linux) to DOS. :-) Once there is an infected mbr, then the whole cycle starts over again. Here is how to clean it once and for good. First, get yourself a decent disinfector that will remove Junkie from the partition, as well as from files. McAfee should be able to, but if it doesn't, then use fdisk/mbr (caution! only when booted on DOS!). Also take care to disinfect after booting clean from a flopy! Do not run anything from the hard drive itself. Don't forget the FDISK/MBR, plus one for luck! :-) Finally, reinstall boot manager to assure there are no traces left of the bad DOS mbr. Regards, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il antivir@netcom.com CompuServe `GO InVircible' ftp.datasrv.co.il/pub/usr/netz/ ftp.netcom.com/pub/an/antivir/invircible/ - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 31 Mar 95 11:50:27 -0500 From: netz@actcom.co.il (Zvi Netiv) Subject: a virus? new? old? (PC) solomon2@GRANDE.NM.ORG wrote: > I have recently received a number of reports from friends that their > C-drive is no longer recognized. Is this being caused by a virus? > F-prot is of no help because it can't get into "C" to fix it. If this > is a virus and the boot sectors or something else is being affected > how can it be fixed. I would appreciate any help from anyone. Here is another one for ResQdisk. :-) Get a copy of the RESQDISK.ZIP package from one of the sites in the signoff banner. Read the attached ResQdisk.txt file and make a note of the hotkeys. The following are general instructions of how to recover access to a hard drive. Boot clean from a DOS floppy and then run RESQDISK. Press F5 and you'll see the manufacturer's IDE parameters (if it's an IDE). Watch that the IDE tables, and the CMOS ones fit, at least as for the capacity of the drive. If they don't, then write down the manufacturer's parameter and set them in the CMOS, under "User Type". Now reboot. If you can access drive C then good. If not, then run RESQDIK again. It may sometimes happen that ResQdisk will indicate "cannot read sector". This means that some erratic write messed with the mbr's CRC. To reset the CRC and make the sector readable (and writeable) just run FDISK/MBR a couple of times, it will do the trick (and zero out the partition data). If the sector is still unreadable then you simply got a hardware failure. Depending on which virus hit the drive, you should find a copy of the original mbr in one of the following sectors: 6 (Nika), 7 (Stoned, Michelangelo, No-INT), 9 (Ekaterinburg), 11 (Exebug), 13 (AntiEXE), 17 (B1-NYB) or last (Quox). Browse through the sector with the down arrow until you find the relocated mbr. You'll know it by being able to read "Invalid partition table" in the middle of the window. Press ^A (analyze) and select "As partition". It should show sensible data. If you multiply the "total sectors in partition" by 512, it should equal the capacity of the drive. Now pick this sector to the clipboard (press ^E and "read"), next go to sector 0,0,1 with the Home key (the mbr) press ^E and "Write". The last operation reinstated the original mbr wher it belongs. Now reboot, most chances are that you got your drive back. :-) There are are instances in which the mbr was destroyed and no copy of it exists anywhere. ResQdisk can then be used in the "rebuild" mode. This condition is automatically detected and a message will indicate "Press ^F1 to restore access". Do just that. ResQdisk is just one module of InVircible, an anti-virus and disaster recovery software suit. Install IV, make a rescue diskette (see in the on-line help) and enjoy ongoing safe computing without sacrificing a bit of your computer's performance or resources. Making an IV ResQdiskette before such mishap could save a lot of acrobatics. Regards, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il antivir@netcom.com CompuServe `GO InVircible' ftp.datasrv.co.il/pub/usr/netz/ ftp.netcom.com/pub/an/antivir/invircible/ - ------------------------------------------------------------------------- ------------------------------ Date: Fri, 31 Mar 95 12:49:02 -0500 From: Jon Wayne Subject: Re: What is ThunderBYTE? (PC) lee@hp.rmc.ca (Haynes Lee) writes: >In Canada, a recent virus scanner called ThunderBYTE >detected a virus on some master disks of a federal budget >that were just about to be sent to over 1,000 financial >instituions. Previous scans by other virus software >detetcted nothing. That particular virus would have >screwed up the FAT tables of a disk. >Where can one obtain ThunderBYTE? Call them at 800 667-TBAV. jon ------------------------------ Date: Fri, 31 Mar 95 12:58:32 -0500 From: ab1@nauvax.ucc.nau.edu (Andy Beecham) Subject: NT Anti-Virus Software (PC) Any Anti-Virus software recommendations for machines running Windows NT? Thanks in Advance. ------------------------------ Date: Fri, 31 Mar 95 18:43:57 -0500 From: awitas@ix.netcom.com (Adam Witas) Subject: Cleaning DA'BOYS virus. (PC) I am in serious need of a virus scanner or cleaner that will kill DA'BOYS virus on my PCs at home and at work. I heard that Norton has such a scanner, but I have no idea where to get it. Does anyone have (or know how to get) a scanner that will kill this virus? - -- A. Witas Awitas@ix.netcom.com _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ "I'd give my right arm to be ambidextrous!" ------------------------------ Date: Fri, 31 Mar 95 21:00:50 -0500 From: peterg@netaccess.on.ca (Milan P. Gola) Subject: "_1099" virus (PC) I have recently come across the _1099 virus. Apperently it infects any EXE file you run then gives you a blank screen and shuts down your system exectly 1 hour after the virus is activated. Does anyone know how to remove this virus without the suggested delete the file. I have an infected program which is a chinese word processor and I can't get another copy. Any information would be appreciated. ------------------------------ Date: Fri, 31 Mar 95 22:58:38 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: NAV (PC) jdopp@pipeline.com writes >Anyone know how I can get the latest virus lists for NAV NAV updates are available at FTP.SYMANTEC.COM/PUB/NAV The latest NAV signature updates are usually available at the Metaverse Anti-Virus BBS (606) 843-9363 as well. Bill bill.lambdin@woodybbs.com 9CCD47F3C765CA33 blambdin@aol.com PGP fingerprints C77D698B260CF808 - --- * CMPQwk 1.4 #1255 * AH activates any Tuesday ------------------------------ Date: Fri, 31 Mar 95 23:04:56 -0500 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: NO-INT (PC) targtace@ix.netcom.com writes >I know that I have the NOINT virus on one of my floppy disks. Mcaffe >antivirus confirmed this. But, for some reason, neither Norton >Antivirus nor MWAV will detect it. Also, is there some way to clean >the disk, short of formatting it??? NO-INT is a Boot Sector Virus (BSV) sometimes improperly called Stoned 3. This virus infects the boot sector of diskettes, and the Master Boot Record of the hard drive. This virus is stealthed. When the user places a call to the MBR, the virus will intercept the call and redirect the call to the uninfected MBR stored elsewhere on the drive. Removal. F-Prot, and most other A-V software should be able to remove the virus safely. if your A-V software can not handle this virus, the first step is to clean the hard drive. a. backup your hard drive just in case. b. boot clean from a known clean bootable diskette. c. FDISK /MBR if you have DOS 5.0 or above. d. Boot clean from the hard drive, then scan and clean all infected diskettes in the facility. e. after you have the computer clean, I would recommend for you to prepare an emergency diskette. This diskette should have the following. 1. the diskette must be bootable. 2. backup copy of the Master Boot Record 3. backup copy of the boot sector from the active partition. 4. software to read and write the above image files back to the hard drive. 5. FORMAT 6. FDISK 7. etc. Bill bill.lambdin@woodybbs.com 9CCD47F3C765CA33 blambdin@aol.com PGP fingerprints C77D698B260CF808 - --- * CMPQwk 1.4 #1255 * HALLOWEEN activates Oct 31st ------------------------------ Date: 01 Apr 95 04:25:12 -0500 From: blw6870@jackson.freenet.org (Brandon L. Walters) Subject: NYB virus (PC) We found 5 out of 50 some windows PC's here that had the NYB. I spent a long time getting it off one of them. NAV won't disenfect it. Two of the postings about this disappeared as a tried to read them. I'd really like to know if there is a slick way to disenfect NYB from huge IDE drives w/o totally wiping everything. Thanks in advance. Brandon Walters ------------------------------ Date: Sat, 01 Apr 95 07:09:06 -0500 From: ngchwei@merlion.singnet.com.sg (Novice) Subject: "SW Error" - is this a virus? (PC) Every month or two, I get this problem when I run Windows: a column of "SW Error"s appears when I click on some icons. The screen scrolls up, and eventually I have to exit Windows. Sometimes, programs run for a while, but when I try to save something to my hard disk, I get the error message "Disk full" or something like that, even though I have plenty of space left over. Funny thing is, the problem disappears after a day, only to reoccur some time later. Is this a virus? If so, how can I get rid of it? Would appreciate any help. Thanks in advance. ------------------------------ Date: Sat, 01 Apr 95 16:22:30 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: help [Whis] virus (PC) Israel Kay <100112.2001@compuserve.com> wrote: >F-Prot, and Dr. Solomon's AVTK accurately identify and remove it. NAV 3.0 also detects and removes the Tai-Pan.Whisper virus with updates from November 1994 I believe. - -- Kevin Marcus, CS Dept, U/CA, Riverside: datadec@cs.ucr.edu Norton AntiVirus Development: Kevin_Marcus_at_SYM-SM@symantec.com Virus-L archives: ftp://cs.ucr.edu/pub/virus-l ------------------------------ Date: Sat, 01 Apr 95 16:23:36 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: How to remove Filler virus? (PC) Israel Kay <100112.2001@compuserve.com> wrote: >Humberto Jose Bortolossi writes: > >There are 2 known variants, Filler.A and Filler.B. > >Dr. Solomon's AVTK and F-Prot identify and remove it. NAV 3.0 also detects and removes both these varients. - -- Kevin Marcus, CS Dept, U/CA, Riverside: datadec@cs.ucr.edu Norton AntiVirus Development: Kevin_Marcus_at_SYM-SM@symantec.com Virus-L archives: ftp://cs.ucr.edu/pub/virus-l ------------------------------ Date: Sat, 01 Apr 95 16:33:04 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: NOINT virus (PC) Ann Wachtler wrote: >I know that I have the NOINT virus on one of my floppy disks. Mcaffe >antivirus confirmed this. But, for some reason, neither Norton >Antivirus nor MWAV will detect it. Also, is there some way to clean the >disk, short of formatting it??? Which version of NAV are you using? If it is 3.0 and you have the most recent updates (available from ftp.symantec.com in /public/nav/30xxx.zip), and you still don't detect it, please contact Norton Anti-Virus technical support. Stoned.NoInt, a stoned varient, gets it's name from not using any CD form Interrupt calls. This doesn't make the virus any more difficult to detect or remove, but it is a unique characteristic of the virus. I don't believe it has any payload. It is an MBR/BS infector. It can be removed generically from a floppy disk by issuing the "sys x:" on the appropriate drive when the virus is known not to be in memory. This will have the side effect of eating 100+K of disk on your floppy depending on your DOS version, but it will remove the virus. It can be removed generically from the MBR of your hard disk with the FDISK /mbr switch when the virus is known not to be in memory. It takes 2K of memory from DOS by reducing the value at 0:413 by two. You can make a simple memory check with the chkdsk program. If the value reported back is 653312, then you probably have the virus in memory. This is not a definite, but it merely suggests there might be a 2K virus at the top of memory. - -- Kevin Marcus, CS Dept, U/CA, Riverside: datadec@cs.ucr.edu Norton AntiVirus Development: Kevin_Marcus_at_SYM-SM@symantec.com Virus-L archives: ftp://cs.ucr.edu/pub/virus-l ------------------------------ Date: Sat, 01 Apr 95 16:41:26 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: How to get rid of NOV(EMBER) 17 virus (PC) LABBE wrote: >Although most virscanners I know detect November 17, no one has been >able to disinfect it succesfully. How come? It seems to be your regular >exe and .com virus, does not remain resident in memory and (as far as >I know) has no devastating effect on files or partitions. > >Which Scanner can do the trick? Or is it useless anyway because the >infected files are damaged beyond repair? There are several varients of the November 17th virus. NAV 3.0detects the .584, .706, .768.A, .768.B, .855, .880, and .800. It should also remove most if not all of these varients. This virus also triggers on November 17th, where it will destroy data on your hard disk. I believe there is a varient of this virus which does that one the 1st of January, also, but I don't recall which. - -- Kevin Marcus, CS Dept, U/CA, Riverside: datadec@cs.ucr.edu Norton AntiVirus Development: Kevin_Marcus_at_SYM-SM@symantec.com Virus-L archives: ftp://cs.ucr.edu/pub/virus-l ------------------------------ Date: Sat, 01 Apr 95 16:46:44 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Norton Anti-virus updates? (PC) Jason Oppenheim wrote: > >Anyone know how I can get the latest virus lists for NAV The Virus List can be seen from inside NAV by going to Tools, and then to "Virus List". However, I think that you really mean you want the latest virus update, which is available for ftp at ftp.symantec.com in /public/nav/30xxx.zip. The bigger the numbers, the more recent. As of now, I believe 30a17c is most recent. - -- Kevin Marcus, CS Dept, U/CA, Riverside: datadec@cs.ucr.edu Norton AntiVirus Development: Kevin_Marcus_at_SYM-SM@symantec.com Virus-L archives: ftp://cs.ucr.edu/pub/virus-l ------------------------------ Date: Sat, 01 Apr 95 16:47:54 -0500 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Tequila Virus (PC) Paul Downing wrote: >Has anyone heard of this virus.. Tequila? A friend has it and we tried >McAfee to rid it but to no avail. I'm not sure if he's tried Norton yet. >Any help? NAV 3.0 detects and removes this virus. - -- Kevin Marcus, CS Dept, U/CA, Riverside: datadec@cs.ucr.edu Norton AntiVirus Development: Kevin_Marcus_at_SYM-SM@symantec.com Virus-L archives: ftp://cs.ucr.edu/pub/virus-l ------------------------------ Date: Sat, 01 Apr 95 18:39:53 -0500 From: dhimelic@prairienet.org (D Himelick) Subject: Disinfectant for PC? (PC) I finally am joining the PC world with a Toshiba laptop! I heard PC people were much nicer than Mac folks. :> I am looking for a Disinfectant type program for my PC like I used to have on my Mac? Is there a freeware/shareware program on the market? And could I find it on the Net? Thanks, Doug - -- ------------------------------ Date: Sat, 01 Apr 95 20:39:33 -0500 From: "Rob Slade, Social Convener to the Net" Subject: Re: Memory, CMOS, printers etc. (was FAQ and questions) (PC) From: "Bruce Burrell" >> be executed as a program. Postscript is actually a programming language, >> so Postscript printers could be programmed, but they could infect MS-DOS > ^^^^^^^^^^^^^^^^^ > Do you not mean "could NOT infect" here? I strongly suspect so. >Yeah, I know. The "not" was still in your fingers. :-) Exactly so. My fingers were all notted up. ------------------------------ Date: Sat, 01 Apr 95 21:46:08 -0500 From: "George R. Self" Subject: Re: What is ThunderBYTE? (PC) lee@hp.rmc.ca (Haynes Lee) wrote: > Where can one obtain ThunderBYTE? I got an evaluation copy from the SIMTEL collection. There is a version for both DOS and WINDOWS. I've been running it for about two weeks now and have had no compatibility problems (486DX2). The SIMTEL archive version was updated in March, so it is pretty new. Good luck with it. - --George ------------------------------ Date: Sat, 01 Apr 95 22:21:29 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: Re: ATTN: McAfee doesn't find ANTIEXE (PC) Toby (moonstar@well.com) writes: >> F-Prot Ver 2.16 identify and remove ANTIEXE. > Really, I can't get it to remove antiexe off of one of my machines. > What's the trick? To my knowledge the latest version of F-Prot (2.17) removes Antiexe. However, if you have a new variant of Antiexe it may not remove it. In such case I suggest you write to Frisk at frisk@complex.is. Regards, Israel READERS OF VIRUS-L AND COMP.VIRUS ARE WELCOME TO CONTACT ME DIRECTLY. ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Sat, 01 Apr 95 22:21:27 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: Viruses with no payload (PC) Frank Honer writes: > I am a casual reader of the comp.virus newsgroup and noticed your > statement: >> "Tai-Pan also known as Whisper was discovered in Sweden around the >> middle of 1994. It is a virus that goes memory resident and only >> infects .EXE files. File sizes grow by 438 bytes. It will only >> infect .EXE files that are larger than 64k. >> It will not do anything more than replicate once it is in memory." > This raises a curiosity with me. "Why would someone take the time to > write a virus which essentially has not apparent effects?" It would > seem to me that a virus writer would get his "thrills" from causing > problems to a person's system or files. Virus writers are certainly > strange and demented, but to write a virus that has no obvious effects > seems extremely strange. > If you have a minute, could you enlighten me? There are many people out there that have written viruses which appear to do little more than replicate. This can be due to a number of reasons. 1. The virus has a fault, due to bad programming. 2. No payload has been programmed in, intentionally. 3. The virus author does not intend to cause harm. 4. They are lab or test viruses, which have leaked out. Another reason is that all certain people want to do is spread a message. Once this virus has hit someone all it will display is a greeting or something a litle more offensive. Regards, Israel READERS OF VIRUS-L AND COMP.VIRUS ARE WELCOME TO CONTACT ME DIRECTLY. ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Sat, 01 Apr 95 22:21:33 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: Non detectable viruses (PC) Rafael Rivera writes: > Is their a virus that is not detectable by the latest McFee > Vscan/Vshield virus scaners? There are over 6000 viruses out there today. New ones are appearing nearly every day. I am sure McAfee will not deny that there are viruses they do not detect, i.e. new ones. For a new virus to be accurately detected in an AV package, the virus must first be disassembled and analysed by McAfee and respective AV developers. Only after this has been carried out can detection be built into AV packages. The above process takes time. If a new virus appears, and the various AV delelopers are alerted to it, an update to detect it will normally be included in the next release of their program. As far as disinfection is concerned, it depends on the nature and complexity of the new virus. If you find a virus which is not detectable by your current AV program please let me know. Regards, Israel READERS OF VIRUS-L AND COMP.VIRUS ARE WELCOME TO CONTACT ME DIRECTLY. ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Sat, 01 Apr 95 22:21:30 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: 2KB Virus (PC) Eric (erict@osullivan.interax.net) writes: > Hi! You seems to know a lot on Viruses don't you! Can you give > any me any information on the 2KB Viruses ??? I have a very big problem > With IT!.... I Clean it with Clean (Macafee) But it don't seems to > works well... 2KB, also known as Neuville, Touche, French Boot and Sillybob, is a boot sector virus. When it goes resident it infects the MBR. It will only infect the HD if you boot from an infected floppy. After that it will infect all un-write protected floppies accessed. > Just in detecting it a Infect my Memory, and Comes Back into > BootSector... It is not safe to boot from a floppy, as long as the virus is in memory. > Do you know where i can get good remover for it ?? > Is there any Ftp Sites for macafee ??? F-Prot and Dr. Solomon's AVTK identify 2KB and remove it. You can obtain McAfee and various other AV programs via FTP: oak.oakland.edu /SimTel/msdos/virus If I can help any further please don't hesitate to contact me. Regards, Israel READERS OF VIRUS-L AND COMP.VIRUS ARE WELCOME TO CONTACT ME DIRECTLY. ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Sat, 01 Apr 95 22:21:35 -0500 From: Israel Kay <100112.2001@compuserve.com> Subject: Re: .DLL files are disappearing. Have I got a virus? (PC) Roberto Corradi writes: >> Israel Kay (100112.2001@compuserve.com) wrote: >> To date I have not heard of any viral activity which deletes .DLL >> files. Have you noticed any of the following symptoms: > We've had a similar probem on one of the 486 PC's in our lab. In > particular the Sigmaplot .dll files disappear. I think some twit is > deleting them.... The other thing is that if I run Central Point If you have someone running aroung deleting files I suggest you should delete them from your personnel list, fast... :-) > Anti-virus, the one shipped with MS-Dos 6.xx in Windows it comes up > saying 90% or so of the files have changed, but does not say virus. If I > run it through DOS it finds nothing. If I up-date in Windows then the > DOS version starts shouting... McAffee and F-Prot have both found no > probems so I'l leave best alone. It looks like you are running the integrity checker part of CPAV. This will alert you to files changing in size only. This does not necessarily mean that a virus is present. However have you noticed any of the following: An increase in .COM or .EXE file sizes, Unaccounted items in high or low memory, Unusual text messages. If yes, please explain them to me in full. Regards, Israel READERS OF VIRUS-L AND COMP.VIRUS ARE WELCOME TO CONTACT ME DIRECTLY. ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Sat, 01 Apr 95 23:45:33 -0500 From: Philip Niles Subject: Re: Virus that screws up WFWG 32-bit disk access? (PC) "The Radio Gnome" writes: >>"The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. There is >>unrecognized disk software installed on this computer. I had this message one day on my computer, which was running Windows 3.1. Turns out the both McAfee's Antivirus and F-Prot named the responsilbe virus as AntiExe, a virus I picked up from the infected book secotr of a floppy. ------------------------------ Date: Sun, 02 Apr 95 15:26:59 +0000 From: kkt@philabs.philips.com (Kim Kiat Tan) Subject: VirusScan (PC) I don't use VirusScan, this is a question posted on behalf of my friend. Here is the question : Just now,I happened to scan the hard disk and found one of the file got the virus "1403". How it got there nobody knows. The file was there for sometimes already but so far O.K. There is no "cure" as stated by the scan programme. I have to delete the file. Luckily it is not an important file. Can you post toe the net and see anyone got the cure for it ? Since I didn't use the program, but my guess is that most likely it is just an virus that VirusScan does not know, so it group everything under the number "1403", am I right ? or is there any other program that can detect it ? thanks for any info. - -- /------------------------------------------------------------------------------ DISCLAIMER : The above solely represent my view, it does not necessarily represent the view of Philips Laboratories. *************************oO0----!!!!!---0Oo************************************/ ------------------------------ Date: Sun, 02 Apr 95 12:23:53 -0400 From: shafto@aristotle.ils.nwu.edu (Eric Shafto) Subject: F-prot (actually virstop) incompatibilities? (PC) I've had two difficulties with virstop. I have four Leading Edge computers (go ahead, flame me, I didn't buy them :-) ), and only on those machines, Windows won't run with virstop. Freezes during the splash screen. The second is that there is a payroll package which locks up when virstop is loaded. No, virstop is not set to lock the computer when it finds viral activity. And there's no message from virstop, and f-prot reports that the computers are clean. We're in the process of selecting an antivirus product, and I'd like to hear from people (a) if they've had similar problems (or even know a fix) with F-prot, and (b) if this is common with TSR antivirus programs, and I should be willing to live with it. I called tech support with the first problem, they said they'd get back to me and never did. Thanks in advance for any info. ------------------------------ Date: Sun, 02 Apr 95 12:28:55 -0400 From: nvo6538@vms2.tamu.edu (OCEPEK, NICHOLAS VAN) Subject: Help, I can't get rid of B1 virus! (PC) Hello, currently my computer in supposedly infected with the "B1" virus... I have F-Prot, and when I run it it claims that there in the B1 virus in memory.... When I run Virustop (sp?) is says, "THERE IS A VIRUS IN THE BOOT SECTOR OF THIS DISK!!!" and promptly locks up my computer.... If anyone could please E-mail me some suggestions or some good FTP sites where I could get some better virus-killer software i would VERY much appericiate it!! Also, MSAV failed to detect the virus at all.... Currently, there has been no symptoms of a computer virus on my computer except for these things : F-prot stating there is, my hard drive locking up at odd times (this has happened 3 times over the space of three weeks) and when the hard drive locks up, it makes the oddest clicking sound I have ever heard, and once scandisk had to fix the FAT of my computer.... My computer system is as follows : Dos 6.2, 1 GB harddrive 10ms, P90... also, I've just reverted back to dos 6.2 from windows 95. please e-mail me..... Thank you Nick Ocepek ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 33] *****************************************