VIRUS-L Digest Wednesday, 26 Apr 1995 Volume 8 : Issue 42 Today's Topics: Viruses in binaries? Maybe. Re: Write-protect media OS/2 Viruses --- The Same As DOS ? ? ? (OS/2) AntiVirus programs for UNIX (UNIX) how do i find Courtney? (UNIX) NATAS info needed! (PC) Ripper Virus? (PC) new virus TORNADO (PC) Anti-virus program needed (PC) Help with MBR Please! (PC) Russian antiviruses. (PC) Re: removing NATAS (PC) Re: Monkey B virus (PC) Re: Windows & McAfee 2.17 (PC) Re: Which virus scanner is best? (PC) The Havoc ][ Virus - A new virus? (PC) Need help with NATAS (PC) Re: NYB virus?and CLEAN.exe? (PC) Has anyone had M's disappearing from Windows? (PC) Monkey B virus (PC) Virus in Flash ROM??? (PC) Allocation??? (PC) Common viruses (PC) nVIR--can it lurk in Pram? (PC) Re: Virus in Flash ROM??? (PC) Re: A Known Virus? (PC) Cleaning Magic Virus (PC) Re: Virus in Flash ROM??? (PC) Re: Strange Request (PC) Partition table virus (PC) Stealth virus source of infection (PC) Anti Virus Policy (PC) Report and Remedy req: $#@$! virus (PC) Natas Virus (PC) Re: LiXi (PC) Re: Can a virus kill a hard drive? (PC) Re: Cleaning DA'BOYS virus. (PC) *.exe -> *._xe Virus? (PC) Lamer's Virus on NetWare 3.12 (PC) Re: Need an antivirus to remove boot-437 (PC) New virus!!!!!?..weird... (PC) Re: Software to archive boot sector viruses? (PC) Re: Form Virus (PC) Virus troubles. (Maybe) Need Help (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 20 Apr 95 19:53:33 -0400 From: tom_van_vleck@taligent.com (Tom Van Vleck) Subject: Viruses in binaries? Maybe. >Frank Sofsky wrote: >>There has been so much debate on whether or not a virus can come >>from a binary picture file; I have read so many times that viruses can >>only come from execute and command files; does anyone really have >>the correct answer to this? It's possible in theory. A bad guy could find a picture viewing program that doesn't check for ill-formed picture files, and create a picture file that tricks the viewer into executing data that happens to be a virus-inserting trojan. Nobody's seen one yet. The fact that damaged data files will sometimes crash PC applications suggests that one can be written; these apps leave their normal execution sequence on some bad data, and might execute file data, given just the wrong data file. This is a variation of the "fingerd" attack used in the Internet Worm and in recent attacks on UNIX HTTP servers. These too were thought to be only theoretically interesting, until somebody did them. Like the fingerd attack, such a trojan would be platform and viewer specific. ------------------------------ Date: Thu, 20 Apr 95 20:03:25 -0400 From: jmccarty@spdmail.spd.dsccc.com (Mike McCarty) Subject: Re: Write-protect media Don Di Tomasso wrote: )Do some viruses affect write-protect disks? Is that possible? )Don D.(dond@ix.netcom.com) That depends. If you are on a PC compatible type machine, and you mean write protected FLOPPIES, then the answer is no (unless your hardware is broken or modified). If you are on an AMIGA or any of a few others, then the answer is definitely yes for write protected FLOPPIES. If you have an add-on disc controller which allows write protecting your HARD DRIVE then the answer is no. If you write protected your FILES on a PC compatible by marking them READ ONLY, then some viruses can damage them, and some cannot. There are other possibilities. Did I help? Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 19 Apr 95 12:54:16 -0400 From: CCAPASSO@ftmccoy-arrtc.army.mil Subject: OS/2 Viruses --- The Same As DOS ? ? ? (OS/2) Hello, I am wondering if viruses that affect DOS environments can also affect OS/2 environments? I have not seen anything about this and I am just starting to use OS/2. Thanks in advance. Conrad =8-) ------------------------------ Date: Wed, 19 Apr 95 13:09:04 -0400 From: medapati@birch.ee.vt.edu (Suri Medapati) Subject: AntiVirus programs for UNIX (UNIX) Hi Could anyone please tell me on where I can get Anti-Virus programs fro UNIX. Any Help is greatly appreciated Suri - -- - -------------------------------------------- Suri Medapati 1200 Hunt Club Rd. #800H Blacksburg, VA 24060 (703) 552-4895 e-mail medapati@birch.ee.vt.edu medapati@digres1.dal.ee.vt.edu - -------------------------------------------- ------------------------------ Date: Wed, 19 Apr 95 20:06:52 -0400 From: Piratedog Subject: how do i find Courtney? (UNIX) please tell me how i can find and access Courtney. thanks [Moderator's note: Courtney is a detection tool that detects TCP/IP network attacks such as the ones generated by the SATAN tool. It is available from: ftp://ciac.llnl.gov/pub/ciac/sectools/unix/courtney/courtney.tar.Z Please send follow-ups to this thread to comp.security.misc, or some other appropriate forum.] ------------------------------ Date: Tue, 18 Apr 95 20:47:28 -0400 From: al584103@academ07.mty.itesm.mx (SERGIO IVAN GONZALEZ GONZALEZ) Subject: NATAS info needed! (PC) I need info on the NATAS virus. The algorithm that detects it, the name of the man who programmed it (if available), the NATAS' algorithm, where does it alocates, what type of programs damages...all the info possible, please. It would be of great help. If someone wants to reply please do it privately to the following address: al34425@umav01.mty.udem.mx Ricardo Alcorta al34425@umav01.mty.udem.mx ------------------------------ Date: Wed, 19 Apr 95 01:56:28 -0400 From: dono@unix.infoserve.net (Don Hitchen) Subject: Ripper Virus? (PC) My brother recently contracted the ripper virus on his computer at work. So far manifestations include not being able to open certain floppy disks. Does anyone have any information on this virus? Please email responses. Dono Vancouver, BC Canada ------------------------------ Date: Wed, 19 Apr 95 09:34:50 -0400 From: alex@hal.rhein-main.de (Alexander Lehmann) Subject: new virus TORNADO (PC) short summary of a new virus we noticed recently: new virus TORNADO (named after the string TORNADO in the encoded part of the virus code) detected april '95 in rhein/main area in germany disassembled april 14, 1995 NOTE: original virus code is encoded. features of TORNADO: - - boot sector virus - - infects floppy and hard disks - - redirects only INT13 - - simple mutation algorithm for encoding/decoding routine - - generation/infection count (offset 0x1a8) used for mutation - - symptom: scrolls screen upwards - - stores copy of original boot sector at the end of root directory (see below) - - consumes 1 KB of DOS memory - - simple stealth features - - hangs on writeprotected disks until write successfull NOTE: we didn't infect our computer on which we disassembled the virus to verify this ! possible hazard (maybe unanticipated by author?): the location to store the backup of the boot sector is track 0, side 0, sector 14 on hard disks, which is usually empty, since the first partion starts at track 0 side 1. However, if a non-DOS fdisk program is used to allocate the unused sectors on the first track (e.g. Linux fdisk), this will be within the fat of the first partion on the hard disk. This can probably in most cases be repaired by the usual disk tools. If the first partion is not DOS, other damage might occur (Linux ext2, hpfs etc.). Also, the virus wrecks Linux boot disks when they are accidentally accessed under DOS, however it will work with LILO, if a DOS partition is booted. A string to detect the virus (regardless of mutation) is E82100E8FCFEE80E00CA02002EFF06A87DE81000(e.g. with f-prot /user) As with most boot sector viruses, it can be removed by booting from a clean disk and then executing fdisk /mbr, probably followed by chkdsk or scandisk. Diskettes should best be backed up (with xcopy, not diskcopy!) and formatted. As for the history of this virus, it is not detect by the current versions of scan (2.2.0) and f-prot (2.17) (both were notifed) so it is obviously new, but it may very well have existed for some time before it was noticed. Up to now I didn't have a chance to quiz the person I got an infected disk from, since the virus apparently doesn't affect all graphic cards (Hercules seems to be immune), it may simply have flourished unnoticed. bye, Alexander - -- Alexander Lehmann alex@hal.rhein-main.de (plain, MIME, NeXT) | "On the Internet, lehmann@mathematik.th-darmstadt.de (plain) | nobody knows http://www.rbg.informatik.th-darmstadt.de/~alexlehm | you're a dog." ------------------------------ Date: Wed, 19 Apr 95 09:36:44 -0400 From: wrich@relay.nswc.navy.mil (William G. Rich) Subject: Anti-virus program needed (PC) I have no experience with virus' or virus programs. Am looking for a "broad-spectrum" anti-virus program for PC. That is, program that will catch the largest number of the devils. Recommendations are appreciated. Thanks, William ------------------------------ Date: Wed, 19 Apr 95 11:50:53 -0400 From: moseley@netcom.com (Bus Driver) Subject: Help with MBR Please! (PC) Hello all- Here's a simple one. I'm running a dos/windows setup in a public location. There is no important info stored on it, that is, the system can easily be rebuilt from a backup. Now the question. Say I get a virus in the MBR. Dose the dos (v6.2) format command update the MBR? Or would I need to boot from a clean disk, then after I format C:, run FDISK/MBR before booting off C:? I want to build an easy restore utility for this public location that will reformat and restore all files, but I want to make sure that all code gets replaced (including the MBR) to clean all possible viruses. Thanks for you input! BTW - I'll try to get back to this group to look, but I don't always have access to the newsreader. So I'd appreciate any posts cc: moseley@netcom.com. Bill - moseley@netcom.com ------------------------------ Date: Wed, 19 Apr 95 11:23:06 -0400 From: Timofei.Tcherkasov@risc.uni-linz.ac.at Subject: Russian antiviruses. (PC) Hi, All! There is an anonymous ftp cite with Russian antivirus packages. Russian, English and German version are available. If you interested in it, look at ftp.kiam1.rssi.ru Good Luck! Tim. ------------------------------ Date: Wed, 19 Apr 95 12:36:04 -0400 From: "A.Appleyard" Subject: Re: removing NATAS (PC) > From: Brian Esp (GE) > I heard you had the natas virus. I have the same thing- but I can't seem > to get rid of it. I downloaded an anti-virus program and it detects the > virus but can't clean it. Please let me know if you are able to fix it. if > you want to if I fixed it, email me. I found by trial and error that FDISK /MBR will remove NATAS from the boot sector. But given a file infected with NATAS, VET deletes the file, and SCAN looks at the file and does nothing with it. ------------------------------ Date: Wed, 19 Apr 95 12:45:58 -0400 From: powlesla@acs.ucalgary.ca (Jim Powlesland) Subject: Re: Monkey B virus (PC) Scott Clem wrote: >I've had success with both Clean, Kill Monkey, and Norton Disk Doctor >in removing various strains of the Monkey virus. I suspect the McAfee's Scan 2.2.0 does not detect or remove the Monkey_B virus. F-Prot detects it but does not remove it. To remove it, I have successfully used Frisk Software's instructions for generic boot sector infections posted earlier. - -- Jim Powlesland | OFFICE: 403-220-7937 Micro Services, UCS | MESSAGE: 403-220-6201 University of Calgary | FAX: 403-282-9199 Calgary, Alberta CANADA T2N 1N4 | URL: http://www.ucalgary.ca/~powlesla ------------------------------ Date: Wed, 19 Apr 95 14:00:09 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: Windows & McAfee 2.17 (PC) McAfee's TSR, VShield, will not work properly with Windows running in 32 bit access. We are addressing the issue, by writing a VXD driver that will not require a TSR. It should be out sometime this summer. Kelly Lucas McAfee Inc. Iolo Davidson (iolo@mist.demon.co.uk) wrote: : mrowan@coventry.ac.uk "---GEORDIE---" writes: : > Does Mcafee have problems with 32 bit access??? : Windows 32-Bit file access (not disk access) will disconnect many : TSRs that rely on intercepting interrupt 21h. This is because : Windows does not use DOS for disk i/o under 32-Bit file access. : > If so can this be fixed??? : Sure it can. One product that has a fix for this problem is Dr. : Solomon's (I wrote it) (not Dr. Solomon's, the fix). ------------------------------ Date: Wed, 19 Apr 95 14:25:32 -0400 From: weissel@moon.ph-cip.uni-koeln.de (Wolfgang Weisselberg) Subject: Re: Which virus scanner is best? (PC) Andrew James Taylor (TAYLORA@caedm.et.byu.edu) wrote: >I recently downloaded InVircible. I also have McAfee's latest Scan. Which is >better, ie. more effective and safer? I've heard both ways, or is there >something else I should have? Thanks in advance for any information. better? NONE. I think IMNSHO both are not worth the diskspace, and the time they need, since there are programs like TBAV This is not a rating AVP if I list them F-Prot in this order aviable. They are all shareware - F-Prot is even free for non-commercial single users(!!) more reliable. Less false alarms - especially from (FAKE) viruses in 'virus tests'. They get almost any known viruses and some unknown as well. So the chance that one slipps through (if you use a CLEAN bootdisk) is almost nil. All but the producers of InVircible agree that it is wise to use more than one good scanner - to update them often - and to make backups. But if you have any valuable data, use other methods (Integrity scanners, behavior monitors) as well. (some are in the TBAV package as well) - - Wolfgang ------------------------------ Date: Wed, 19 Apr 95 14:29:05 -0400 From: hoy@falcon.bgsu.edu (Jim Hoy) Subject: The Havoc ][ Virus - A new virus? (PC) Our site is infected with (apparantly) a rather new virus. We have called the virus by the name of "The Havoc ][ Virus", because that's what it calls itself in its code. It is not detected by F-Prot, nor is it identified by any of the other virus detection programs we have tried. A couple of the programs know something's wrong after a computer has been infected, but don't identify or protect against the virus. Here's what we have observed about the virus so far: After a hard drive has been infected: The machine appears to run normally until it is booted from a floppy disk that is not infected with the virus. However, as soon as you boot the machine from a non-infected floppy disk, various problems become apparent, such as: - -The system will not recognize drive C:. - -The hard drive Master Boot Record has been changed. - -The hard drive partition table is sometimes corrupted. - -The machine can usually still be booted from drive C:. As a quick check to see if a machine is infected, one can use the DOS MEMory command and see if CONVENTIONAL memory is 635K TOTAL rather than the 640K TOTAL that it should be. (The numbers may be different for different machine configurations, but you get the idea.) If 5K appears to be missing, the machine is probably infected. We suspect that the virus attacks the MBR first, and then at a later time corrupts the hard drive partition table. When the partition table is corrupted, FDISK shows it as being a single **non-DOS** partition, typically with a length of zero bytes. What it is: The Havoc ][ Virus is a master boot record virus. It infects systems by reducing conventional memory by about 4.5K bytes and placing part of itself (the large payload) in that memory. It hides itself on disk by intercepting an operating system interrupt known as INT 13, which services disk and diskette operations. It appears to be either a member of the stealth boot sector viruses, or very similar. It is quite similar in some respects the PMB virus recently observed at our site. The PMB virus was found and removed by the F-Prot anti-virus software, though F-Prot cannot, as yet, detect or correct Havoc ][. What it does: When the Havoc ][ virus receives control at the time an infected hard disk or floppy disk is booted from, it places itself in Random Access Memory (RAM), where it takes over certain functions of the computer. The computer RAM remains infected until it is rebooted from a "clean" floppy diskette or "clean" hard disk. While a computer is infected, a copy of the virus also frequently resides on the hard disk. The virus appears to be designed so that once in a while (with a *probability* of 1/600) it will wipe out all of a large (such as 1.44 MB) floppy disk or much of a hard disk, making either unusable. This appears to occur when the computer's clock happens to be set at the very specific times (right to the second) of 00:00, 10:00, 20:00, 30:00, 40:00, or 50:00 (minutes:seconds) past any hour, at the time the machine is rebooted. The virus otherwise continues with less destructive activities. It appears that infected computers will infect floppy disks (if they are not write protected) very quickly (usually every time). When "clean" systems are booted from an infected floppy diskette, the virus is always loaded into RAM from the floppy, but it isn't as clear how often the virus code that gets loaded into RAM proceeds to corrupt the hard drive. Also, once a computer hard drive is infected by the Havoc ][ Virus, if the computer is booted from a floppy disk, another part of the virus needs to be loaded from an *infected* floppy disk each time the computer is booted, in order to put all the pieces of the virus together so the infected computer will be able to operate (of course, under control of the virus). If you boot an infected computer from a *non-infected* floppy disk, the computer will usually not be able to find the C: drive, since the virus will not be activated in RAM to tell the computer where it (the virus) has hidden the C: drive information. On diskette, the virus writes some of its information at the end of the diskette. If any information was already stored there, it is replaced by the virus information. If, for example, that information is part of a file which exists at the end of the diskette, there are two implications. First, that particular part of the file is overwritten by the virus information and is lost. Second, if that particular information (belonging to the virus) in the file is changed, the virus (and the computer being booted) will probably be made inoperable when the changed information gets loaded into the computer as the computer boots from the floppy disk. This happens because the (now corrupted) virus information (that the infected computer needs when booted from that floppy disk) is now useless for making the infected computer operate. This virus has infected a great many of our IBM and compatible computers at this University, disrupting classes, and doing essentially what the author must have wanted, --creating havoc!! Is anybody familiar with this virus? Are there any scanners able to identify this virus and disinfect both computers and floppy disks? Any help or comments would be greatly appreciated! Thanks. Jim - -- Jim Hoy, Computer Security Administrator University Computer Services | hoy@BGNet.bgsu.edu Bowling Green State University | Ph. 419-372-7752 Bowling Green, OH 43403 USA | Fax 419-372-7723 ------------------------------ Date: Wed, 19 Apr 95 14:40:08 -0400 From: 1 Subject: Need help with NATAS (PC) how do i get rid of the NATAS virus that resides in memory. i think i have a clean boot disk, but i am still having problems. i have mcafee anti-virus ver 2.221. it recognizes the virus, but wont clean it. if anyone has answers, please email me or post them here. also, running the scan from windows wont recognize it, it is only recognized when i boot up. ------------------------------ Date: Wed, 19 Apr 95 14:44:45 -0400 From: 1 Subject: Re: NYB virus?and CLEAN.exe? (PC) On 14 Apr 1995, Tom Scriggins wrote: > I'm looking for a new version of clean.exe that might > get rid of the NYB virus? > Also does anyone know anything about NYB? > Please E-mail to exutpsc@exu.ericsson.se any info. I do not really know much about the virus since I just found it, but any help getting rid of the damn thing would be helpful, since it resides in memeory and mcafee sees it but do not fix it. ------------------------------ Date: Wed, 19 Apr 95 16:20:58 -0400 From: jcooper@unb.ca Subject: Has anyone had M's disappearing from Windows? (PC) I install Novell on P.C.'s at work and latety I've found that files beginning with the letter "m" seem to be disappearing or getting corrupted in the Windows directory. It seems as if it may be a virus of some sort. Has anyone heard of this before? ------------------------------ Date: Wed, 19 Apr 95 16:39:48 -0400 From: Iolo Davidson Subject: Monkey B virus (PC) sclem@utkux1.utk.edu "Scott Clem" writes: > You need to scan ALL of your > disks before re-inserting them into the drive. I don't think you meant to say this, quite. - -- JUST THIS ONCE FINISH AND JUST FOR FUN WHAT WE'VE BEGUN WE'LL LET YOU ? ? ? ------------------------------ Date: Wed, 19 Apr 95 17:25:14 -0400 From: Iolo Davidson Subject: Virus in Flash ROM??? (PC) a148poon@cdf.toronto.edu "Poon Jacob Tin Hang" writes: > Is it possible that a virus attacks flash ROM memory and make > antiviral apps impossible to remove this kind of virus (even with > emergency disks)? It is possible for a virus to be written to infect flash BIOS, but it is not likely and I have not heard of one that does so. I have, however, heard of a existing virus (but not seen it or analysed it myself) which corrupts flash BIOS memory as its payload. > After all, if a bios upgrade program can patch ROM > area, so does virus. Certainly possible. I believe there is no standard for how flash BIOS is programmed, though, so viruses that try to do this will not work all the time on all computers. > I did not find this answer in FAQ and never heard of it. The FAQ requires updating. The issue was discussed on some forum or other a while back, but I can't remember if it was in here. I reported on it in a Guardian newspaper article a year or more ago. > I am planning to use motherboards with flash ROM support > but I don't know the risk of doing so. To be safe, they should be fitted with a hardware write-enable switch which needs to be moved by hand before the flash memory can be altered. I don't know of any that are. Manufacturers have ignored warnings from the anti-virus community on this. Apparently *all* laptops now use flash BIOS. - -- JUST THIS ONCE FINISH AND JUST FOR FUN WHAT WE'VE BEGUN WE'LL LET YOU ? ? ? ------------------------------ Date: Wed, 19 Apr 95 17:23:55 -0400 From: Iolo Davidson Subject: Allocation??? (PC) James@stega.smoky.ccsd.k12.co.us "JAMES PAK" writes: > Hi. I think I have a virus, I don't. > but any of my virus checkers can't detect > it. From time to time, I get file allocation errors if I type > "chkdsk." This typically happens when someone turns off or reboots the computer while an application (or Windows) is still running, with files still open. Also when an application program hangs or crashes, and you are forced to reboot. > I hope I find a cure for this virus like problem. No complete cure exists. - -- JUST THIS ONCE FINISH AND JUST FOR FUN WHAT WE'VE BEGUN WE'LL LET YOU ? ? ? ------------------------------ Date: Wed, 19 Apr 95 17:35:00 -0400 From: Iolo Davidson Subject: Common viruses (PC) bill.lambdin@woodybbs.com "Bill Lambdin" writes: > I hope all of the A-V developers to at least agree on one name > for the common viruses. Yeah, but some of these guys won't even speak to each other. - -- JUST THIS ONCE FINISH AND JUST FOR FUN WHAT WE'VE BEGUN WE'LL LET YOU ? ? ? ------------------------------ Date: Wed, 19 Apr 95 17:45:52 -0400 From: "Mark C." Subject: nVIR--can it lurk in Pram? (PC) I'm posting for a friend who had Virex detect nVir on her powerbook. The store tech. had trouble reformatting the drive and thinks that (possibly) nVIR could be lurking in P-ram, causing problems, or it could be a hardware thing. We haven't found any traces of the virus on her 3.5 disks using disinfectant 3.5. questions for the cognescenti: 1) Is it possible that the corruption on the hard drive was/is a hardware problem and the nVIR alert was false? 2) can nVIR, or any other virus, exist in P-ram (I don't even know what p-ram is, incidentally) We're concerned because she was using faculty computers, all equipped with disinfectant. Any help would be appreciated. Mark Crane Portland State University ------------------------------ Date: Wed, 19 Apr 95 21:14:55 -0400 From: jsinger@netaxs.com (Josh Singer) Subject: Re: Virus in Flash ROM??? (PC) Poon Jacob Tin Hang (a148poon@cdf.toronto.edu) wrote: : Is it possible that a virus attacks flash ROM memory and make : antiviral apps impossible to remove this kind of virus (even with : emergency disks)? After all, if a bios upgrade program can patch ROM : area, so does virus. I did not find this answer in FAQ and never : heard of it. I am planning to use motherboards with flash ROM support : but I don't know the risk of doing so. Any comments/suggestions are : welcome. Yes, it has already been written. Check out VLAD issues #1-3 as code is present with explanation. If you cannot find the VLAD issues, mail me, I'll get you the articles. spoonman@cyberspace.org ------------------------------ Date: Wed, 19 Apr 95 21:44:46 -0400 From: cjkuo@alumni.caltech.edu (Chengi J. Kuo) Subject: Re: A Known Virus? (PC) craigewert@delphi.com writes: >Ken Solomon writes: > >>Symptoms: On boot their computers no longer recognize the hard drive. >>(On DOS based machines.) They would appreciate any help. > >Ken - I am not an expert in this by any means, but it sounds to me as though >the master boot record and/or the partition tables have been messed with. >You should be able to fix the mbr using the FDISK /MBR option of dos, if it >is only a DOS pc (I doubt it will work if you are using multi-OS boot sector). >Or, if you copied the boot sector and partition data to a data file, you >may be able to copy them back (? real unsure on this). If "on boot their computers no longer recognize the hard drive," DON'T DO "FDISK /MBR"!!!!!! If you do, you will have a much harder time to clean up your mess. But if you already have, get a copy of a disk repair utility and call their support line. [Sorry, can't specifically endorse a competitor's product. :-)] If you haven't, there are two viruses going around today with that as a primary symptom, Monkey and Urkel. [Obligatory "Endorse own associated product here".] Actually, there's a couple variants of Monkey running around. And since a lesson to be learned from the message I've quoted is that you better get a second opinion before acting on the first you get, you might wish to get more information on this too before acting. Jimmy cjkuo@mcafee.com (That's right, I'm no longer with...) ------------------------------ Date: Wed, 19 Apr 95 22:16:49 -0400 From: Savini@ix.netcom.com (Irene Savini) Subject: Cleaning Magic Virus (PC) Does anyone have a method of cleaning the "magic" virus. McAfee identified the virus but could not clean it. It appears to be a boot virus that effects the partion table. Please help!! ------------------------------ Date: Wed, 19 Apr 95 23:04:26 -0400 From: cjkuo@alumni.caltech.edu (Chengi J. Kuo) Subject: Re: Virus in Flash ROM??? (PC) Poon Jacob Tin Hang writes: >Is it possible that a virus attacks flash ROM memory and make >antiviral apps impossible to remove this kind of virus (even with >emergency disks)? After all, if a bios upgrade program can patch ROM >area, so does virus. I did not find this answer in FAQ and never >heard of it. I am planning to use motherboards with flash ROM support >but I don't know the risk of doing so. Any comments/suggestions are >welcome. It is possible to attack flash ROM memory if the system does not have a physical switch you have to throw to update the flash ROM. It is not possible for a virus to prevent its own removal. Might be hard to... But not impossible. However, no virus successfully infects flash ROM now. And thus no AV tries to remove stuff from there. (Yes, I've heard of Meningitis.) But as soon as one does, a remover for it will appear. A general comment would be, if you have to use flash ROM systems, choose one that alsorequires human intervention before you can actually update the flash ROM hopefully of a physical nature (a jumper maybe). Jimmy cjkuo@mcafee.com ------------------------------ Date: Thu, 20 Apr 95 04:03:42 -0400 From: ischlang@ix.netcom.com (IRV SCHLANGER) Subject: Re: Strange Request (PC) iolo@mist.demon.co.uk (Iolo Davidson) writes: > dylan@wam.umd.edu "Dylan J. Greene" writes: > >> I've been asked if there is any anon ftp sites where a user could >> download/upload viruses. My first feelings were "I hope not!" but >> then I thought about the many virus protection developers. How do >> they get samples of the latest viruses? > >Mostly from customers and from each other. Sometimes they are >sent them by show-off virus writers. There has to be >considerable trust before anti-virus researchers will exchange >research material with anyone. > >> Stemming off the first question is this one: Is there a such >> thing as a virus that is not harmful > >Most viruses are not deliberately harmful, but they still cause >trouble (since no one is sure that any particular virus is >harmless) and consume resources. Some cause damage without >meaning to, due to bugs or compatibility problems. > >> (aka possibly helpful)? > >Not the same thing. > >> What if a TSR >> was implemented as a virus, such as antivirus software that could >> "spread" causing any program it came in contact with to posses the >> ability to know if it had a virus before executing (or modified in >> suspisious ways). > >The last 42 times this subject was raised, the consensus was that >there is no reason to implement any beneficial program as a >virus, and many reasons not to do so. I agree with your statement. There is however, one TSR program that I happened to see advertised (in "Corporate Security" Magazine) that looked very interesting. The TSR would periodically dial out, via the internal modem, to the TSR manufacture's office, login and give the office the serial number of the computer. If the computer was reported as stolen a phone line trace would begin. It looked like a good way to curb theft, or recover stolen computers, as long as the thief connects the modem.... ------------------------------ Date: Thu, 20 Apr 95 04:48:34 -0400 From: ug201am@sunmail.lrz-muenchen.de (Christian) Subject: Partition table virus (PC) Hello, I have one question: How can it be, that a virus resides in the partition table ? I cannot imagine how the mechanism could be, because a partition table is only a data area an it is not executed like a program. Thanks for enlightenment, Christian _________________________________________ Christian Brunner brunner@informatik.uni-muenchen.de _________________________________________ ------------------------------ Date: Thu, 20 Apr 95 06:24:21 -0400 From: keiths@sydney.DIALix.oz.au (Keith Sutherland) Subject: Stealth virus source of infection (PC) Can you tell me if there is a common source for the IBM PC Stealth Virus. We had a small contained attack this week and cannot work out where it came from. You see we don't have a network so Floppy Disk is the only possible way. Is there a known game, for example that contains this virus? Cheers. - -- - --------------------------------------------------------------------- Keith Sutherland keiths@sydney.dialix.oz.au PO Box 751 Phone 61 2 255 0600 North Sydney NSW 2059 Fax 61 2 255 0640 Australia - --------------------------------------------------------------------- ------------------------------ Date: Thu, 20 Apr 95 08:27:22 -0400 From: bpmsndai@sam.neosoft.com (Russell W Hegler) Subject: Anti Virus Policy (PC) I have been asked to write a anti-virus policy and set up a anti-virus detection and cleaning system. We have 15 indvidual PC's, 2 are hooked to the net and a lot of sneaker netting occurs throughout the office. Presently we have MacaFee 2.2 for windows. What software is recommened? Any special way to set the software up (on boot, or ?) How often should the system be scanned? diskettes? If any one has a policy at their company and is willing to share it please post or email me. Thanks ------------------------------ Date: Thu, 20 Apr 95 09:09:19 -0400 From: wmono@Direct.CA (William Ono) Subject: Report and Remedy req: $#@$! virus (PC) ******)))))) Please FOLLOWUP to this article as my email box is nonfunctional at this point in time! ((((((****** I believe what I have is indeed a virus. My system is a 486DX2/66 running MS-DOS 6.22 and Windoze 3.1 with an AMI BIOS dated 11/12/92 (not Flash BIOS). I am also running Linux under UMSDOS (but this has worked cleanly since I got it about a year and a half ago directly from sunsite). My hard drive is a WD 340mb IDE drive. I also have two floppy drives (3.5-1.44 and 5.25-1.2) and a 230 M/O (SCSI) and also a NEC CDR36 CD-ROM (SCSI). I have other items, however since they do not appear to be relevant, I won't list them here. I've noted the fllowing symptoms: - - MBR keeps changing - - Filenames are renamed, with one character off by one letter (eg COMMAND.COM -> COMLAND.COM, MSDOS.SYS -> MSDNS.SYS) These changes are constant - every time, MSDOS.SYS is renamed to MSDNS.SYS and then currupted. Same with the other files. Sometimes more than one change is made per filename. Most occurrances of "A" are changed to "@" - - FAT tables are destroyed beyond any repair - - Any reads made to any part of the hard drive are immediately fllowed with a write to that area (or at least it did so whenever I was able to observe it) - - Reads from DOS respond with FAT table error, Sector not found, or General Failure. There may be more, but those are the ones I noticed mostly. This is what I have done so far to try to eliminate the problem: - - Scanned hard drive with SCANDISK (and thoughoughly killed all remaining files) - - Scanned several times with CHKDSK (and scrambled the garbage remaining) - - Attempted to run MSAV, file corrupted (like it would do any good anyway) - - Was unable to get any decent virus scanning software - - Rebooted with a clean boot disk - - Copied files (which turned out to be nothing more than random bit patterns) to disks marked with Virus Warning!. - - Rebooted with clean boot disk, then formatted the hard drive with DOS FORMAT. - - Did a complete cold boot (turned off computer) and formatted using BIOS setup - - FDISK'ed and then FORMATted - - Drained CMOS battery to 0.5 volts (this motherboard has the battery soldered in) - - Re-enterred all setup values into Setup - - Reformatted hard drive from Setup - - FDISK/FORMAT - - Drained CMOS again - - Copied a new boot disk with necessary software, then booted with it - - FDISK'ed and FORMAT'ed. And here I am now. I'm writing this on my Mac, because as you may be able to tell, my PC is out of commission. If anyone is able to lend me a hand, I would be most grateful. I don't know where I got this bugger from. Thank you for any help, William Ono wmono@direct.ca ******)))))) Please FOLLOWUP to this article as my email box is nonfunctional at this point in time! ((((((****** ------------------------------ Date: Thu, 20 Apr 95 12:29:38 -0400 From: adbryan@onramp.net Subject: Natas Virus (PC) Does anyone have any info on the Natas and Natas.boot viruses? I have a customer that has this. I found and cleaned it with Mcafee 2.2.0 MSAV did not detect this virus. I understand it is new. What does it do other that screw up the boot sector of floppies? Thanks in advance, Alan Bryan adbryan@onramp.net ------------------------------ Date: Thu, 20 Apr 95 12:42:23 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: LiXi (PC) "Dale S. Tucker" writes: >Date: 13 Apr 1995 11:45:01 -0000 >Looking for information on the LiXi virus... where it came from & howw to detectt LiXi is *probably* one of the AntiCmos variants. At least one them contains the text 'I am Li Xi Bin'. ------------------------------ Date: Thu, 20 Apr 95 12:57:22 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: Can a virus kill a hard drive? (PC) mcdonald@gate.net (John McDonald) writes: >He said the monkey virus (and derivatives) muck with the partition table, and >can leave it screwed up such that it can't be reconstructed. Ah, sorry. Monkey is trivial to remove with the correct software. Most of the up to date scanners can easily do this. While it is certainly possible to screw a partition table so badly that your data is either lost or difficult to recover, Monkey, or at least the current versions, don't do this. ------------------------------ Date: Thu, 20 Apr 95 13:07:19 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: Cleaning DA'BOYS virus. (PC) awitas@ix.netcom.com (Adam Witas) writes: >Date: 13 Apr 1995 11:45:09 -0000 >I am in serious need of a virus scanner or cleaner that will kill >DA'BOYS virus on my PCs at home and at work. I heard that Norton has >such a scanner, but I have no idea where to get it. Does anyone have (or >know how to get) a scanner that will kill this virus? Da'Boys *overwrites* the Dos Boot Record (DBR) on a hard drive, rather than *moving* it. This means that a scanner cannot simply kill it by moving the correct DBR back. If your current a-v program was not smart enough to keep its own copy of the DBR, or if you didn't have an a-v installed, then you need to:- For your hard drive:- (1) Backup your data (just to be safe) (2) Boot clean (from the same version of DOS which is on your system, and (3) Sys the drive. For your floppies:- (1) Copy your data off (2) Format the floppies Good luck. ------------------------------ Date: Thu, 20 Apr 95 13:15:56 -0400 From: umkroe26@cc.UManitoba.CA (John Christopher Kroeker) Subject: *.exe -> *._xe Virus? (PC) I've noticed that many of my files (about 50 on one drive alone) have a copy of themselves which are only 77 bytes long and have one letter renamed. Eg: fips.exe fips._xe <-this file has system and read only attrib. and is 77 bytes long (as are the rest like this) Some of the files come in pairs like the one above and others just have the *._xe file . Sounds like a virus to me. I noticed this when I was moving all files from one drive to a new drive. I've checked the drives with f-prot 2.17 with no warning/messages. System: 386 SX 40 8 megs ram SB-Sound card/CD ROM 2 disk drives (1080MB WDC AC31000H, 340MB Samsung SHD-3172A (Appollo- 3) AD -The above drive1(WD) uses BIOS overlay to utilize and IDE controller card with the >528MB drive. MS-DUS6.2,Win3.1 etc, etc....If any more info will help, I'll post it. If anyone can figure this out or has heard of this before, I'd be *very* greatful! ///////////////////////////////////////////////////////////////////////////// // ~ // // SWEET // // // // ~ umkroe26 // ///////////////////////////////////////////////////////////////////////////// ------------------------------ Date: Thu, 20 Apr 95 15:02:36 -0400 From: Brian Rowe Subject: Lamer's Virus on NetWare 3.12 (PC) To all: I regularly update NAV 3.0 on a number of workstations with the monthly updates from Symantec. Up until 2 months ago (30a16.zip), everything was fine. However, the last two updates Symantec has uploaded have wreaked havoc on these workstations. Basically, the workstations are fine when off the network (NetWare 3.12), but after they log on and run NAV, they receive a "Lamer's Virus" message and lock up. I've checked the server with 2 virus checkers (all current) and found nothing. Also, this only occurs to SOME workstations, not all (they does not seem to be a pattern with the affected workstations). Has anyone had a similar problem with recent updates? My next step is calling Symantec, but I'm interested if anyone else has had this happen to them. Thanks, Brian Rowe (browe@panix.com) ------------------------------ Date: Thu, 20 Apr 95 19:07:29 -0400 From: "Lic. Jose Anaya P." Subject: Re: Need an antivirus to remove boot-437 (PC) oscom@yarrow.wt.uwa.edu.au (OSCOM International) wrote: > > I have detected a Boot-437 virus on my boot sector using f-prot. > Unfortunately f-prot can only detect the virus. Can anyone point me to > the right direction as to how I can get rid of this virus without > having to reformat my hard drive > Boot from a clean diskette with the same DOS version on the HD and type SYS C: from the prompt line. That's it. This virus is not an MBR virus but a boot sector one, so it should be quite easy to get rid of it. The Boot 437 does not do any harm as far as I know. It will only replicate itself. Good Luck ------------------------------ Date: Thu, 20 Apr 95 19:47:09 -0400 From: K12MASKA@vaxc.hofstra.edu Subject: New virus!!!!!?..weird... (PC) Can anybody help me out? I think, actually I know that i Have a virus that has infected my computer. I used the latest version of Mcafee and no luck. these are the symptoms so far: 1) every so often no matter where I am or what program i'm running, obscene words pop up on the screen next to the cursor. 2) sometimes whole strings pop up....some that i've come across are : 1. "Long live ddt!!" 2. "DDt will never die!" 3) sometimes the system out of nowhere clears the screen and 'hehehehehhe' comes up and the system either reboots or hangs on me. I really want to get rid of this problem. Any help will be appreciated. ps. I have a file that is certain to contain a copy of the virus. If needed ask..or can one tell me where i can send it to receive help? k12maska@hofstra.edu. ------------------------------ Date: Thu, 20 Apr 95 19:55:57 -0400 From: jmccarty@spdmail.spd.dsccc.com (Mike McCarty) Subject: Re: Software to archive boot sector viruses? (PC) Woody wrote: )I have a collection of viruses and up until this point has only been )executable files because they can be safely kept. I have heard that )with boot sector viruses you can keep them safely by copying the boot )sector to a file. Does any one know an easy way to do this. I am )looking for either some software that will copy the boot sector or a )method to do it. Any help appreciated. [insert infected floppy in A: drive] C>debug virus.bin - -l 100 0 0 1 - -rcx [some number]: 200 - -w [message about 200 hex bytes being written] - -q C> You now have virus.bin with a captured virus in it. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 20 Apr 95 22:18:23 -0400 From: jyao@hawk.depaul.edu (Jason Yao) Subject: Re: Form Virus (PC) JLINDER@ccmail.turner.com (Jack Linder) wrote: >I go hit with the Form virus. More specifically, Intel's VSAND reports it >found virus 'Form' in the boot sector. > >I think I have it cleaned out, and am scanning all disks/floppies, etc, but I >have a question. > >What does this virus do, how sure should I be that I got it out? (Scanners >show it to be cleaned out). If you ever start up windows after get infected, you windows might be lock up at the start up time even after you clean it out. The only way around is to copy about four files under windows directory from a clean source. ------------------------------ Date: Thu, 20 Apr 95 22:28:17 -0400 From: CTL0922@sruvm.sru.edu (Carlos) Subject: Virus troubles. (Maybe) Need Help (PC) I work in a computer labratory in my universities library. About a month ago we were using simply Microsoft Anti-Virus. Then we discovered that our work stations were infected with the Empire.Monkey virus. We switched protection programs to F-prot ver. 2.16 to stop the monkey virus. Recently, we have been having problems with students using Word-Perfect. More and more frequently, student's disks are being "scrambled". The student will save a file, then without even exiting, do a LIST commond and see a disk full of diffrent file names. If viewed, the files are a strange garble of ascii charecters, fragments of the files the student previously saved. Does anyone have any experince with a similar problem, or have any infor- mation they could share? If this is a virus, it would be best if the university could get the problem corrected before the students leave for summer break and spread the virus around in their hometowns... Thank you, Carl Lozar (CTL0922@sruvm.sru.edu) ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 42] *****************************************