VIRUS-L Digest Friday, 28 Apr 1995 Volume 8 : Issue 46 Today's Topics: April issue of The Scanner AOL Virus, a New Take? Would like to increase virus knowledge Virus hoax listing Re: Anti - Virus to scan ZIP files? Re: F-PROT detects "Circular Infection" (PC) Re: Monkey B virus (PC) Re: AntiCMOS Cleaner ?? (PC) Re: Crazy Boot Virus (PC) Re: Virual Code B, How do I get rid of it (PC) Re: NATAS? (PC) Re: "SW Error" - is this a virus? (PC) Re: *.exe -> *._xe Virus? (PC) Re: hllo.wonder (PC) Re: F-Prot 2.17 fails Mcafee 2.2.1? (PC) Re: D2/DH2 behaviour (PC) Re: Partition table virus (PC) Re: Form virus (PC) Re: NATAS Background? (PC) Re: Help with MBR Please! (PC) Re: F-PROT detects "Circular Infection" (PC) TSR to scan all floppy disk activity? (PC) Re: Hardware Virus Protection - EMD Armor Plus (PC) Re: Piggybacking and memory scanning (PC) Tai Pan Virus (PC) Re: Stealth virus source of infection (PC) RE: Why FORMAT does not remove Beijing virus? (PC) Re: Need help selecting virus softwares (PC) Re: Piggybacking and Memory Scanning (PC) Re: Report and Remedy req: $#@$! virus (PC) Re: Virual Code B, How do I get rid of it (PC) Re: AntiCMOS A virus (PC) Re: Trying to figure out if I have a virus... (PC) Re: Software to archive boot sector viruses? (PC) Re: Which virus scanner is best? (PC) Re: NATAS? (PC) Re: Advise on virus software (PC) Invircible (PC) Re: LILO and the MBR...please help (PC) Pathogen/Queeg (PC) VSafe & WFWG (PC) Re: Report and Remedy req: $#@$! virus (PC) Epbr Virus (PC) Re: Flash ROM virus questions (PC) Are Norton Antivirus upgrades on the internet? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 27 Apr 95 07:43:17 -0400 From: HRRWood@aol.com Subject: April issue of The Scanner I have uploaded: SimTel/msdos/virus snr9504.zip The Scanner anti-virus newsletter, APR95 issue SNR9504 - The April issue of The Scanner. An anti-virus mewsletter for all computer users, researchers, and AV developers. This month we look at the EXEBUG virus. Mikko Hypponen's conclusion to his RETORVIRUSES treatise, checkout the latest HOAXES,TROJANS and HACKS. Rob Slade addresses VIRUETHICS. Read the retirement letter of STORMBRINGER. Special requirements : None Changes: None Freeware. Uploaded by author Howard Wood HRRWood@aol.com ------------------------------ Date: Thu, 27 Apr 95 08:44:04 -0400 From: cmort@NCoast.ORG (Christopher Morton) Subject: AOL Virus, a New Take? While "Good Times" alleged text file virus has been rightfully debunked, I'm still faced with an AOL related virus problem. Yesterday, one of my users reported a hard drive failure after having received email via AOL. We brought the machine in, and indeed the media descriptor and FAT tables were screwed up. The user swears that he shared no disks with anyone, and only downloaded the email message. While I'm firmly in the ranks of those who don't believe in viruses in plain text messages, I've given some thought to this problem, since apparently SOMETHING is happening. I know of no reasonable mechanism, by which you could get a virus via text file on a DOS/Windows machine (absent the ability to do email compiles like Morris). On the other hand, when you log into AOL, you don't JUST get text from email. The user shell is wont to send you a variety of things, including I believe, updated binaries. Now, if during the course of a session wherein you download email, you also (unknowingly, since you're the typical benighted, pre-industrial user) get a variety of binaries, your PERCEPTION may be that you received a virus FROM the email, rather than from the user shell. What if there really IS a virus, but it's transmitted via the user shell rather than email? The relationship between email and virus is probably one of synchronicity versus causation. In any case, I DO have an unexplained problem here, and I think I've come up with a possible explanation. I'd really like to hear from anyone with similar "AOL" virus problems. Oh, and before I forget, there's been so far, no sign of any "Good Times" messages, at least that we've been told. The drive just went south and that was that. Thanks. - -- =================================================================== | BATF - NAMBLA with Guns | =================================================================== ------------------------------ Date: Thu, 27 Apr 95 19:15:01 -0400 From: "IF WISDOM COMES WITH AGE, I MUST BE NEAR GENIUS" Subject: Would like to increase virus knowledge Hi all, I've been doing PC consultancy work here in Ireland for about 3-4 years and in that time have had little or no trouble with viruses, However..... In recent months I've been coming across more and more infections and related problems and I've decided I need to boost my Knowledge of Anti-Viral/Security techniques. If anybody could suggest some areas I should look into, I would be extremely grateful (Longterm I'd like to do research :-)). I've read one or two texts already e.g."A Short Course..." by F. Cohen. Also I hope to have an old 386 at my disposal soon for playing around with, So if someone could suggest a good way to set up a kind of Virus experimentation lab I would be extremely grateful. Finally, (For the real techies out there ;-/) Apart from ASM what other languages are useful for Anti-Viral Work??? Where Would I pick up good AV programming techniques (Frisk, Vesselin et al, I promise not to drum you out of business for a few years yet :-)). I hope you'll find the time to reply, TIA OJC - -------------------------------------------------------------------------------- oconnolly@fab10.intel.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Owen J Connolly "No I'm not an AV expert.....But maybe some year!!!!!!" ~_______~ <|\^^^^^/|> "The beauty of standards is there are so many to choose from!!!!" <| \O J/ |> --A History Of Unix <|__\C/__|> - -------------------------------------------------------------------------------- ------------------------------ Date: Thu, 27 Apr 95 18:07:25 -0400 From: "Rob Slade, Social Convener to the Net" Subject: Virus hoax listing There is a bit of a problem in listing hoaxes. How do you define the difference between the deliberately malicious fake postings, and rumours that just get out of hand? There was, for example, the "Proto-T" posting, which was probably an attempt by the vx community (or some portion thereof) to rile the AV team. (Once it had been determined that there *was* no Proto-T virus, of course, the vx community wrote one. Several, actually. They didn't match the original announcement, of course ...) Then there was the "Desert Storm" virus, clearly based on an April Fools joke in InfoWorld magazine. But Pentagon "spokespersons" vouched for its authenticity, completely taken in by the rumour. However, while egrep muddles its way through my archives, here are a few notable hoaxes of days gone by. The "Mike RoChenle" modem virus. (Ken identified this with IBM's then new Microchannel architecture.) This one supposedly used a "secret carrier wave" kept hidden by modem manufacturers for testing. (In fact, modems do not use a "carrier" frequency.) Proto-T. This was announced as a super-virus which no AV product could detect. It is not, of course, poossible to write a virus which cannot be detected. Good Times and XX-1. Both of these were reported at about the same time. Both seem to have been sincere warnings by clueless newbies. Both reported mail messages which could somehow wipe out your hard disk. Technically this is just barely possible, but it certainly isn't likely. Paul Revere. A few years back, one of the PC mags published a list of joke viral programs, usually with some pun on the name. One was Paul Revere (returns 1 if infected by LAN and 2 if by C). Soome time later, a local sysop calling the OS/2 support line with an oddity was told he might have the Paul Revere virus. I was never able to determine if this was just a ticked off support person trying to get rid of a call he couldn't deal with. The Porno GIF virus. A GIF file (uuencoded and) posted on one of the alt.binaries.* graphics groups had some very weird text in it, somewhat indicative of a virus or trojan. Analysis indicated that it wouldn't do anything. There are possible indications in the GIF89a spec that such a thing might be possible, but it still seems highly unlikely. The JPEG virus. Which we've just seen recently. A lot of hoaxes spout some pretty good technobabble, so unless you are a real expert, it's quite easy to get caught. Look carefully at the source. If you pay attention to VIRUS-L/comp.virus over time, you will quickly find the people who know what they are talking about. Look for specific technical details, particularly how to identify and get rid of the beast. If you don't recognize the name of the person posting the warning, check to see who they say they have sent copies to for study. If they haven't contacted anyone legit, chances are good that they aren't legit either. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ------------------------------ Date: Thu, 27 Apr 95 21:27:37 -0400 From: Keith@slip.netcom.com Subject: Re: Anti - Virus to scan ZIP files? > Hello out there in Computer Land....... > What I want to know is this: > > I am looking for a program that will do scanning for VIRUS'S in Zip Files. AntiViral Toolkit Pro (AVP) can virus scan within ZIP and ZRJ files. Even through many layers! ftp.netcom.com pub/ka/kapeer/AVP*.* [if you need a copy] Keith ------------------------------ Date: Thu, 27 Apr 95 07:27:29 -0400 From: jeremy@command.co.uk (Jeremy Gumbley) Subject: Re: F-PROT detects "Circular Infection" (PC) sgarcia@campus.mty.itesm.mx says... > >I'm using F-Prot v 2.17 to scan a 5.25in floppy and it detects a >Stoned.NoInt.A virusin the boot sector, after the program detects the virus >it displays a message like this: > >"Alert! A "Circular Infection" has been found. This means that the sector which >should contain the original boot sector is itself infected. F-PROT will not >attempt to remove the virus" > >Any idea of what to do? , and also, could someone explain this just a >little bit more, please ? > >Thanks in advance. Here's a Frisk Software International Technical note on the subject of circular boot sector infections as reported by F-PROT. Frisk Software International - Technical note #12 "Circular" boot sector virus infections Most boot sector viruses replace the boot secor code with virus code and store the original boot sector somewhere else on the disk, for example in the last sector of the root directory. This causes a strange problem if a diskette gets infected with two boot sector viruses that attempt to store the original boot sector in the same sector. The first sector infects normally, but the second overwrites the original boot sector with the first virus. This has the effect of making the disk unbootable. As the original boot sector has been overwritten, the best way to deal with this is to replace it with "generic" code. Jeremy Gumbley, Command Software Systems UK F-PROT Professional and NET-PROT Technical Support UK Support: 0500 202 444 (+44 171 259 5710) support@command.co.uk US Support: 800 423 9147 (+1 407 575 3200) support@commandcom.com ------------------------------ Date: Thu, 27 Apr 95 07:37:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey B virus (PC) Jim Powlesland (powlesla@acs.ucalgary.ca) writes: > McAfee's Scan 2.2.0 does not detect or remove the Monkey_B virus. > F-Prot detects it but does not remove it. To remove it, I have > successfully used Frisk Software's instructions for generic boot > sector infections posted earlier. This is rather strange, since (a) F-Prot should be able to remove Stoned.Empire.Monkey.B and (b) F-Prot's generic boot sector disinfection method shouldn't work against a virus like this particular one... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 07:44:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: AntiCMOS Cleaner ?? (PC) JT Miller (jmiller@jmiller.com) writes: [Using InVircible to remove the AntiCMOS virus.] > I followed instructions, in section, 8." Reconstruction of the Boot > Block", in the manual that came with the Zip file. Simply press a > few keys on your keyboard and it's gone! It is not so simple. First, InVircible (at least version 6.01D) damages some user files. Second, disinfection of stealth boot sector viruses "with a few keypresses" does not work on SCSI and MFM disks. Third, there is no similarly simple way to remove the virus from the infected floppies - and if it is not removed from there, it is likely to cause a re-infection. A better solution is to get a good virus-specific program - one which can disinfect this virus reliably. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:06:21 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Crazy Boot Virus (PC) Anhminh Tran (eaiu400@ea.oac.uci.edu) writes: > I just got it and what it said when I did a scan is "hahaha don't try > to mess with the Crazy Boot Virus or you'll be sorry!" More exactly, was the message "Don't PLAY with the PC ! Otherwise you will get in 'DEEP,DEEP' trouble !... Crazy Boot Ver. 1.0" ? Get the program AVP - it can remove it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:09:03 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virual Code B, How do I get rid of it (PC) Robert Boyer - ELCE/W95 (rboyer@hermes.acs.ryerson.ca) writes: > I was infected with this virus(Virual Code B) and I was unable to remove Please read the FAQ of this newsgroup for information how to ask such questions. In particular, why do you think that you have a virus? Did some anti-virus program tell you so? Which particular program? Which version of it? > it. I was informed that I had replace my hard drive and motherboard. Whoever has given you this "advice" is either a fraud, or a complete idiot, or both. It is never necessary to replace a piece of hardware in order to get rid of a virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:15:18 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NATAS? (PC) 1 (esp@eng.usf.edu) writes: > i think i have a boot virus called NATAS or something like that. Natas is not just a boot sector virus. It infects COM and EXE files, as well as MBRs and floppy disk boot sectors. > can you > get this type of virus by copying a file to the > infectected > computer? No. But you can get it by *executing* an infected file on a clean computer. > as you can see i am having problems just writing this message. This is not caused by this virus. > what can i do > to detect and clean this damn virus? HELP! Most good scanners - e.g., F-Prot or AVP - can detect and disinfect it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:15:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "SW Error" - is this a virus? (PC) Nikhil (nikhil@shakti.ncst.ernet.in) writes: > A few of our customers have reported the same error while > running DOS applications. All calls were received on the same > day but no compaints thereafter in the last 20 days. This message is displayed by the Die_Hard virus, if the day of the week is Tuesday and the date is 3, 11, 15, or 28 of any month (and if the virus has infected at least 13 files). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:19:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: *.exe -> *._xe Virus? (PC) John Christopher Kroeker (umkroe26@cc.UManitoba.CA) writes: > I've noticed that many of my files (about 50 on one drive alone) have a > copy of themselves which are only 77 bytes long and have one letter renamed. > Eg: > fips.exe > fips._xe <-this file has system and read only attrib. > and is 77 bytes long (as are the rest > like this) This is done by Norton Anti-Virus, version 1.0. God, I am amazed that someone is still using this version - it is more than 5 years old! Delete it; it is worse than useless. > Some of the files come in pairs like the one above and others just have > the *._xe file . Sounds like a virus to me. It isn't one. It is a (poor) anti-virus program. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:25:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: hllo.wonder (PC) Judy A. Zimmet (jaz@PrimeNet.Com) writes: > This week, our work site has encountered the hllo.virus attached to a program > that was developed by a developer of the company I am working for at a remote > site. McAfee 2.2 detects it, but only when a distinct DIRECTORY is scanned as > opposed to a Volume on a Novell 3.12 Network. McAfee did not indicate a way > to remove it, so it was removed by deleting the infected executable. > Any information about this the hllo.wonder virus is appreciated- You almost certainly do not have a virus. HLLO.Wonder is an overwriting virus written in a high-level language - as its names indicates. It is very difficult to pick a good scan string for such viruses - I mean, a scan string that will always detect the virus and not give a false positive on any other programs. The reason is that most of the virus is simply standard libraries put there during the linking process - so, unless the scanner producer is *very* careful, any odd scan string will "detect" any other program that is compiled with the same compiler and contains calls to the same libraries. McAfee's SCAN is almost certainly giving a false positive on this one - - this has been a common problem in the latest versions of this product. I suggest you to replace it with a better one - I recommend F-PROT, AVP, or TBAV. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:26:21 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: F-Prot 2.17 fails Mcafee 2.2.1? (PC) Bill Aber (aberb@dgs.dgsys.com) writes: > I was scanning the recent Mcafee 2.2.1 with F-Prot 2.17, and it failed > all of the files saying it was a possible form of the NOV-17 Virus, > anyone else encounter this problem? It is a false positive. Not sure whose fault it is exactly, but you can assume that it will be fixed in the next versions of those products. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:31:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: D2/DH2 behaviour (PC) Nikhil (nikhil@shakti.ncst.ernet.in) writes: > Is there any AV that can remove DH2 or one must delete all affected > files with the /DEL option. Yes - AVP 2.1 will disinfect the infected files properly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:34:44 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Partition table virus (PC) Christian (ug201am@sunmail.lrz-muenchen.de) writes: > How can it be, that a virus resides in the partition table ? > I cannot imagine how the mechanism could be, because > a partition table is only a data area an it is not executed > like a program. The sector where the partition table is (the Master Boot Sector) also contains a small program that is executed every time the computer boots from the hard disk. Originally, the purpose of this program is to find the active partition, load its boot sector in memory, and transfer control to it. Several viruses infect the Master Boot Record by replacing it with their bodies. On the other hand, there is one virus - StarShip - which infects it by changing only a couple of bytes in the partition table *data*. It changes it in such a way, as to indicate that the active "partition" is some particular (normally unused) part of the hard disk, where the virus resides. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:38:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Form virus (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: > > Does anyone know what harm the form virus does? > When it infects the hard disk, it overwrites the last two sectors of > what it believes to be the active partition, regardless of their > contents. In some cases this causes damage. Sorry, the above is not correct. Form overwrites the last two physical sectors of the hard disk; not the last two sectors of the active partition. The comment about the damage still holds. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:40:20 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NATAS Background? (PC) adbryan@onramp.net (adbryan@onramp.net) writes: > Does anyone know the background of the NATAS virus, > other than it's satan spelled backword? It was written by James Gentilly - a virus writer known also under the handles "Priest" and "Little Loc". He is also the author of other viruses, such as Priest, Jackal, Sat_Bug, etc. He was interviewed by the FBI, but it has been found that he's too young (below 16) to be prosecuted. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:41:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help with MBR Please! (PC) Bus Driver (moseley@netcom.com) writes: > Now the question. Say I get a virus in the MBR. Dose the dos (v6.2) format > command update the MBR? No. > Or would I need to boot from a clean disk, then > after I format C:, run FDISK/MBR before booting off C:? Yes, but only if you can access drive C: (e.g., DIR C:). > I want to build an easy restore utility for this public location that > will reformat and restore all files, but I want to make sure that all > code gets replaced (including the MBR) to clean all possible viruses. Better use one of the products that already do so. I recommend DiskSecureII or HS. > BTW - I'll try to get back to this group to look, but I don't always have > access to the newsreader. So I'd appreciate any posts cc: > moseley@netcom.com. Done. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 08:44:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: F-PROT detects "Circular Infection" (PC) Ing. Salvador Garcia Mu~oz (sgarcia@campus.mty.itesm.mx) writes: > "Alert! A "Circular Infection" has been found. This means that the sector whic > should contain the original boot sector is itself infected. F-PROT will not > attempt to remove the virus" > Any idea of what to do? , Boot from a clean, write-protected system diskette, containing DOS version 5.0 or higher. Check that you can access the hard disk (e.g., "DIR C:"). If you cannot, STOP HERE. Otherwise, execute the command FDISK/MBR. > and also, could someone explain this just a > little bit more, please ? It happens when two viruses store the original boot sector at one and the same place - or when they do not preserve it at all. For more information, read the FAQ, question G3. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: 27 Apr 95 10:33:23 -0000 From: koksl@singnet.com.sg (Ian H. Chan) Subject: TSR to scan all floppy disk activity? (PC) Hi all! I'd like to know if there are any TSRs that scan all floppy activity, like copying, reading, even dir. I'm trying to set up an anti-virus thing for some friends whom I don't trust to scan their floppies before use on their system. Thanks, - - Ian - -- PGP public key available from pgp-public-keys@pgp.mit.edu. ------------------------------ Date: Thu, 27 Apr 95 09:25:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Hardware Virus Protection - EMD Armor Plus (PC) EMD Enterprises (emd@access2.digex.net) writes: > EMD: > That is why scanners and TSRs, > : > which can only be loaded in config.sys and autoexec.bat, are ineffective > : > against boot viruses. > VVB> That's not completely true. A TSR scanner will detect a boot sector > > virus known to it when the user accesses the infected floppy, or when > > the user presses Alt-Ctrl-Del with an infected floppy left in drive > > A:. > Not true, not true. If you press Alt-Ctrl-Del, no TSR program can > become active before autoexec.bat or config.sys is executed. Boot Not true, not true. Obviously, you do not know how the reboot process via Alt-Ctrl-Del works. It is trivial for a TSR program to intercept the keyboard interrupt, and when the keypress of this particular combination is detected, to check whether there is a floppy disk in drive A: and whether its boot sector is infected. Most resident scanners nowadays can do it. In fact, some even do it by default and you need to use a special option if you want to force them *not* to do it. > viruses take control of the boot process BEFORE any anti-virus software > can be loaded via config.sys or autoexec.bat. Boot viruses do not take control at all, until the computer is booted from an infected disk(ette). From the moment the user presses Alt-Ctrl-Del till the moment when the boot sector is loaded in memory and control is transferred to it, there are ages of time by the CPU standards. Lots of things can be done in this time. > VVB> Also, in most cases the scanner will be able to detect that a boot > > sector virus is in memory, if you boot from an infected hard disk. > That is, if you are lucky enough to have anything left in the hard > drive after the boot virus has had a free run during the boot process. Sure, but if the thing activates the damaging payload at once, then it is not a virus; it is just a Trojan. Scanners do not pretend to detect trojans (although some of them do detect some trojans), neither to be able to repair the damage caused by them. > I leave the readers to draw their own conclusions regarding the > effectiveness of TSRs against boot viruses. This is, I guess, the best thing to do. Many of them have already drawn their conclusion, as it seems from the ratio of people who use TSR scanners any anything else. > VVB> This was not my experience when I played with your product at the > > Hannover fair. It raised an alarm when I just tried to execute the > > COPY command. I would hardly call this a "zero false alarms rate". > I was not present when you visited our booth at CeBIT. However, > those who were there tell me a drastically different story of your > visit. Then, I assume that they have not quite well understood what has happened. The alternative would be to assume that they have misinformed you. > once and for all. Let's agree on some independent observers, and in > their presence let's repeat this test. If you can still duplicate the > false alarm you got while copying files, we will accept that we have a > serious problem with our product. If not, we expect you to publicly > acknowledge that your comments were erroneous. That's OK, but there are two problems. First, right now I am too busy with my thesis, so any kind of testing should be postponed until I finish it. Second, the copy of your product that was sent to me does not even install, let alone work. It's kinda difficult to do tests on such a thing. > VVB> What's so unique about it? Assigning permissions to the programs on > > the system has been known for years in the mainframe world. Ever heard > > of "discretionary access control" or of "access control lists"? > To the best of our knowledge it is unique in the PC environment > and in the context of anti-virus technology. Then, your knowledge is flawed twice in this aspect. First, as others have already pointed out, there have already been such products in the PC environment. Second, as it has been proven about 13 years ago, discretionary control mechanisms are unable to stop viruses. You need mandatory access controls and you have to use them to implement integrity-based protection models. > VVB> It certianly isn't. There are plenty of other access control products > > which do the same thing. Some of them are based on a design more > > secure than your product. For instance, your product is just a BIOS > > extension. Another product, called ExVira, attaches itself > > electrically *between* the hard disk and the motherboard and also > > between the keyboard and the motherboard - thus ensuring that it > > cannot by bypassed. > Vesselin, I think the problem is that you are making a lot of > assumptions about our product. Your comments are based on your > feelings, not on cold hard facts. It is a cold, hard fact that your product is a BIOS extension and does not have a CPU. It is a cold, hard fact that your product is a plug-in card, sitting on the bus, instead of electrically separating the hard disk (and the keyboard) from the motherboard. > Most of the loopholes you point out > have been taken care of during the design process. You cannot convince me that a software implementation - no matter how clever programming you have used - is more secure than a product that is electrically between the hard disk and the CPU. > I suggest you run > some tests on our product, and come back with some definite data. We That's kinda difficult for a product that doesn't even install. > I am not so sure that most scanner based product manufacturers > are so generous as to give two years of free of updates. At least McAfee does so, or so they have told me. You could ask the other ones. > Aside from the cost factor, there is the pain and nuisance of > keeping up with constant updates, which are typically monthly, and > sometimes even twice a month. Based on what we are hearing, corporate > IS people are getting tired of the time spent in downloading and > distributing updates. It depends. Regularly updating a couple of machines is not a problem - I update my copy of AVP every *week* on both machines I use. For a company with more machines, they are likely to be connected in a LAN. Most scanner producers nowadays provide means for automatic updates of their product - so that the system administrator has to update the product only on one place and then every user gets his/her computer updated automatically, as s/he logs in to the network. Some products even have the capability to automatically call the producer's BBS and download the updates, if any. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 09:36:09 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Piggybacking and memory scanning (PC) EMD Enterprises (emd@access2.digex.net) writes: > > have to strongly agree with Iolo's statement. Your product simply > > doesn't do the job. It even failed to install. > Your testing of EMD Armor Plus was limited, inadequate, and above > all seriously flawed technically. It is kinda difficult to do a more detailed and adequate testing with a product that refuses to even install, let alone work. > As for "cure" (cleaning) it may or may not work > even with the best cleaning programs for a variety of reasons. The best cleaning is a good, up-to-date backup. It *always* works, but few people use it. > > you claim that it "stops all known and unknown viruses", "is the > > ultimate protection against viruses" and so on (the quotes are not > > word-for-word exact; I am not in my office right now and don't have > > access to the materials). So, I am asking you, have you really tested > > *all* known *and* unknown (huh?) viruses against your product? Have > > you tested all other existing anti-virus pretections to claim that > > yours is the ultimate one? If not, why are you making such claims? > Vesselin, I can understand your cynicism regarding EMD Armor Plus. > This is a question that we often get. If you test the product, however, > you will find that what we claim is indeed correct. Read my statement again. There is simply no way claims like yours can be tested - by you, by me, or by anyone else. How do you propose to test that the product "stops *all* *unknown* viruses"? > Since EMD Armor > Plus constantly monitors virus-like activities (not specific viruses) > at the very system level, it provides effective protection against both > known and unknown viruses. We have made every effort to insure this. I believe that you have made an effort to insure this. I believe that it provides protection against both known and unknown viruses - all generic anti-virus product do so. What I refuse to believe is that it provides such a protection against *ALL* known and unknown viruses (as it is stated in your promotional materials). It doesn't matter that it monitors "virus-like activities". It is *impossible* to design an algorithm that will distinguish between a virus and a non-viral program - neither by appearance, nor by behaviour - in *all* possible cases. This has been proven more than 11 years ago. Please, refer to the relevant literature. There are cases in which it is impossible to distinguish between the "activities" of a compiler/linker or a file manager and a virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 09:41:37 -0400 From: m.vanotterlo@student.utwente.nl (Hans Kazan) Subject: Tai Pan Virus (PC) Can someone give me more information about the Tai-Pan virus? Like, is it dangerous, which files doe it infect etc etc... Thnx. Martijn. ------------------------------ Date: Thu, 27 Apr 95 09:42:32 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: Stealth virus source of infection (PC) keiths@sydney.DIALix.oz.au (Keith Sutherland) writes: >Date: 26 Apr 1995 10:51:17 -0000 >Can you tell me if there is a common source for the IBM PC Stealth Virus. Yes. The common source is any floppy that has been formatted. :-) >We had a small contained attack this week and cannot work out where it >came from. You see we don't have a network so Floppy Disk is the only >possible way. What it means is that somebody is rebooting their PC either on purpose (to play a game, for example), or accidently, by leaving a floppy in the A: drive overnight, and then 'powering on' next morning. >Is there a known game, for example that contains this virus? No, like I said - any disk will do. Every disk that is formatted automatically has a boot record on it, whether it is bootable or not, and is therefor infectable. The /S command simply transferrs the operating system as well, (io.sys & msdos.sys) therebye making it bootable. Is that enough info, or do you need some more? Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus System ------------------------------ Date: Thu, 27 Apr 95 10:08:42 -0400 From: gcluley@sands.co.uk Subject: RE: Why FORMAT does not remove Beijing virus? (PC) scip4160@leonis.nus.sg (Lim Sin Leng) writes: > Could anyone tell me why the DOS command FORMAT does not remove Beijing > virus? > The version of Beijing virus we encountered infects boot sector of hard > disk and floppy disks. > NB: McAfee SCAN 9.30 V117 cannot detect infection by Beijing virus. Beijing infects the boot sector of floppy disks and the partition sector of hard disks. Format will leave the partition sector untouched. If the PC is booted from an infected floppy disk, the virus goes memory resident and infects the partition sector of the hard disk. The virus infects any floppy disk which is accessed. The virus does NOT store a copy of the original, clean partition sector elsewhere on the disk. It stores additional virus code on Cylinder 0, Head 0, Sector 4 on the hard disk and in one of the root directory sectors on floppy disks; the text Welcome to BUPT 9146, Beijing! can be found in this sector. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, CompuServe Tech Support: GO DRSOLOMON Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International PLC, UK USA Tel: +1 617 273 7400 UK Tel: +44 (0)1296 318700 USA Support: 72714.2252@compuserve.com - ----- Free tech support: 800-595-9175. Registered USA customers only! ----- ------------------------------ Date: Thu, 27 Apr 95 10:13:12 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Need help selecting virus softwares (PC) EMD Enterprises (emd@access2.digex.net) writes: > > Of course, the above were just general statements. Regarding your > > product in particular, the situation is much worse. The first time I > > played with it at the Hannover fair, > You therefore admit that you never saw our product before the > CeBIT fair at Hannover. No, I do not. Where did you get that from? As far as I can see, the paragraph of mine that you quoted says only that I *played* for the first time with your product at the Hannover Fair. It doesn't say that I *saw* it for the first time there. > This contradicts your claim in an earlier post > on this thread that you had examined EMD Armor Plus before CeBIT and > found tons of problems with it. I never made such claims. I only said that I have seen your product and that I have also seen much more secure products of this type. > > it failed to notice the creation > > of a COM file in a directory where an EXE file with the same name existed. > So what? I suppose that the point you are making is that the COM > file could have been a virus. Yes. > When the user executes the EXE file, the COM file would execute > instead, but any attempt by the virus to create any mischief would be > intercepted by the security net of EMD Armor Plus. So, you admit that the infection will not be detected and only the "mischief" will? BTW, what do you understand under the term "mischief"? Damage? What if the damage consists of altering two random bits in memory? How would you detect this? How do you know what has to be in that place of memory? What if this place is the DOS I/O buffer? > > It also failed to notice the overwriting of a BAT file. At > By default, five types of files - COM, EXE, OVL, SYS, and BIN are > protected. BAT files are not protected by default. That is why you were So, you admit that my first observation was correct. > If you are concerned about protecting BAT > files, simply add BAT to the list. This is, obviously, what had been done the second time I played with the product. > This feature is explained clearly in the manual. Obviously, it > escaped your attention. There wasn't a manual laying around at your stand at the Hannover Fair. > All that you need to do is simply add OBJ and AVR to the protected > file type list. But, more importantly, how common are the viruses which > affect these types of files? There are two such viruses. Does it matter? I thought that you claim protection from *all* possible viruses - no matter how common? If so, why do you have to bring the "commonness" argument in the discussion? > > The second time I played with it, you had the security "beefed up" - > > obviously in an attempt to cover the security holes that I pointed out > > to you. > All that we did here was that we added BAT to the protected file > type list. WE DID NOT CHANGE ANY OTHER PROTECTION PARAMETER. This sounds like "We didn't change any protection parameter of our Unix system - we just removed the root-owned SUID copy of the shell"... > This is simply not true. There is nothing in the product which > prevents a user from copying any file from a floppy to the hard disk. > You must have tried to copy over an existing COM or BAT file, and the > alarm bells went off as indeed they should. I worked in an empty directory that I created, so it is hard to believe that there was anything there. > Do you think that we would do this if we did > not feel confident about the product? I do not think that you do not feel confident about the product. I am simply saying that it is not as good as you feel confident about. > Do you feel that we are stupid > enough to make a product that would not even let users copy files from > floppies to the hard drive? Well, it did prevent me from doing it, so make the rest of the conclusion yourself. Worse, when it displayed its warning window and I told it to "Continue", the copying process still failed and the command interpreter reported "not enough disk space" error - while there was still about 18 megs disk space available. > First of all, MIS Europe is the only one of our distributors > authorized to send out samples in Europe. They did not send you a > sample. I am not sure from what source you got the product, but Well, I do have a sample of your product. Dunno about MIS Europe, but it has "EMD ARMOR" written with big blue letters over the box. Is there some kind of serial number on it? If yes, tell me where to look for it and I'll report it to you, so that you'll be able to figure out who has sent it to me - I do not keep a copy of the envelopes I receive and, frankly, it's not my business to keep track of your products. > The "card not found" message is not unusual. If you have a memory > manager installed you need to "rem" it out before installing EMD Armor > Plus. This was described in the manual (Chapter 8). I followed the advice. The product still failed to install. > The README.TXT file gives detailed instructions as to what you > have to do in that situation. Unfortunately, following them didn't result in an installed and working product. > The fact is, users far less technical than you have been able to > install EMD Armor Plus without any help from us by simply following the > instructions in the manual and the README.TXT file. Probably the reason has been that they have received a working copy of the product. > Anyway, the fact that you could not install our product confirms > that you did not test our product anywhere except at the CeBIT fair in > Hannover. Your comments then are entirely based on the brief encounter > you had with EMD Armor Plus at CeBIT. Yes. However, a person with my experience with anti-virus products can tell a lot by just *glancing* at an anti-virus card. > > Even the scanner part of > > your product refused to run because the "hardware was not installed" > > (why?!). And, of course, in this condition it failed to detect *any* > > viruses at all. > Of course the scanner is not supposed to run if the hardware is > not installed. One of the objectives of EMD Armor Plus is to eliminate > the need for frequent scanning. By disabling the scanner until the > hardware is installed, we are discouraging the user from scanning > needlessly. We use the scanner to simply identify a virus only when > some virus like activity is detected. I see. For some reason, I had the impression that the real reason is to prevent the people from using the software without buying the card. Never mind. > > to contact it. All I got was a voice mail system. After going through > > its maze and pressing "3 for technical support", I was informed that > > "the person I am looking for does not have a mailbox". At this point I > > gave up, since my time is valuable and I don't like to have it > > wasted. > The trouble was, you called the wrong phone number! Our 24 hour I called the number listed in the manual, on page 73. > technical support in Europe is provided by a hot line in U.K. That > number is (44)(0)-1622-813111. No such number is listed in the manual. The number listed there is 0622-817808. And I had to *guess* that, since it is in the UK, I had to do some modifications to it (remove the leading zero and prepend 0044 to it) when I am calling from Germany. I am sorry, but my telepathic capabilities are seriously limited and I was unable to guess that you've meant a completely different number when writing the manual. > I think the problem was that you never > got a complete test kit from MIS Europe. (The technical support number > is included in the test kit). You probably called the general number in > U.K., which is no longer used to provide technical support. For some reason, the manual claims that this is exactly the number of M.I.S. Europe Ltd., Kent, United Kingdom. Do you seriously believe that some of your malicious competitors has intentionally sent me a fake copy of your product - one that does not work (or even install) and a buggy manual? :-) > In any case, if you were serious about getting technical support, you > could have simply sent an e-mail to us, or you could have accessed our > CompuServe support forum if you had access to CompuServe. I lost a whole morning trying to install your product. As I wrote in another message, I do not like to have my time wasted. I get a lot of junk, you know? When it doesn't work, I simply put it in a drawer and forget about it. > Frankly, I am rather shocked at the viciousness of your attacks > against EMD Armor Plus. Those attacks are based on my impression of the product. > The intensity of your attacks is surprising > considering that, by your own admission earlier, you had only tested > the product briefly at CeBIT. The short experience with it was enough to give me a bad impression. A very bad immpression. I've seen several other anti-virus products - no better than yours - but at least not making such shameless claims. > If you think EMD Armor Plus is flawed in some > ways, I want you to know that we are always eager to listen to > constructive criticisms. I do think so and already explained why. Feel free to do with my criticisms whatever you want. > However, your vitriolic attacks against us are not helping anybody > except perhaps the competing vendors. And also the users who would like to avoid having the same experience with your product that I had. > In any event, if those of you reading this message are interested > in an alternative viewpoint regarding EMD Armor Plus, you may want to > take a look at the first message in the thread "A Success Story" in > alt.comp.virus newsgroup. Why did you post it to a virus distribution newsgroup? You should have posted it here. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 27 Apr 95 10:21:26 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: Piggybacking and Memory Scanning (PC) frisk@complex.is (Fridrik Skulason) writes: >Date: 26 Apr 1995 10:38:04 -0000 >I am afraid that virus specific methods give false alarms less often than >generic methods...which is one reason why integrity checkers and similar >programs are less popular than scanners. Another issue with generic methods is that while they can be implemented _quite_ strongly by a technically competant person on one or two PCs, they are difficult to manage on large quantities of PCs. The problem is that most end users simply don't understand what a generic a-v program is actually telling them, and they end up calling their tech support for assistance. In practice, this can be a real problem when a support person has perhaps 2000 PCs to look after. Regards Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus System ------------------------------ Date: Thu, 27 Apr 95 10:28:05 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: Report and Remedy req: $#@$! virus (PC) wmono@Direct.CA (William Ono) writes: >Date: 26 Apr 1995 10:51:19 -0000 >- - MBR keeps changing How do you know? >- - Filenames are renamed, with one character off by one letter > (eg COMMAND.COM -> COMLAND.COM, MSDOS.SYS -> MSDNS.SYS) > These changes are constant - every time, MSDOS.SYS is renamed to MSDNS.SYS > and then currupted. Same with the other files. > Sometimes more than one change is made per filename. > Most occurrances of "A" are changed to "@" >- - FAT tables are destroyed beyond any repair >- - Any reads made to any part of the hard drive are immediately fllowed with a > write to that area (or at least it did so whenever I was able to observe it) >- - Reads from DOS respond with FAT table error, Sector not found, or General > Failure. Sounds like flakey hardware to me. Maybe your disk controller? It _could_ be a virus, but the fact that you gave it a couple of very solid clean-ups, and yet (evidently) the problem reappeared immediately sort of indicates hardware. Did you get any a-v to run at all? It's probably worth changing the disk controller, which is not too expensive, running an up to date scanner, installing a decent checksummer, and monitoring the situation. The new controller should give you a fairly economical basis for comparison, and the checksummer should warn you immediately if things change. Of course, the best way to run the checksummer is to run it from a cleanly booted PC, on a write-protected floppy (ie store the checksum on another floppy or the harddrive, but have the disk containing the executable write protected) - this will eliminate a stealth virus. Hope this helps. Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus System >Thank you for any help, >William Ono >wmono@direct.ca >******)))))) Please FOLLOWUP to this article as my email >box is nonfunctional at this point in time! ((((((****** ------------------------------ Date: Thu, 27 Apr 95 11:03:17 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: Virual Code B, How do I get rid of it (PC) rboyer@hermes.acs.ryerson.ca (Robert Boyer - ELCE/W95) writes: >Date: 26 Apr 1995 10:37:43 -0000 >I was infected with this virus(Virual Code B) and I was unable to remove >it. I was informed that I had replace my hard drive and motherboard. Sorry, you never have to _replace_ hardware to remove a virus. Change your vendor. >Now I am wonderng if I could have removed it. If anyone as any solutions >please email me. I think the virus name is wrong. You need more information about what virus you really had. Change your scanner. There are plenty of accurate shareware scanners available. Regards Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus System ------------------------------ Date: Thu, 27 Apr 95 11:45:22 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: AntiCMOS A virus (PC) andersen@s4.elec.uq.oz.au (Hans Andersen) writes: >Date: 26 Apr 1995 12:37:22 -0000 >Hi, >My computer has caught the AntiCMOS A virus and I currently have a >non-functional machine. Does anyone have any idea how it works? Why is it non-functional? Does that mean that you tried to fix it, and did something wrong? It is an MBR _overwriter_ rather than an MBR _mover_. Most new a-v software will easily fix the virus, but older stuff may have a problem. Just remember to boot clean first. Regards Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus System ------------------------------ Date: Thu, 27 Apr 95 12:39:27 -0400 From: steins84@futures.wharton.upenn.edu (Adam Stein-Sapir) Subject: Re: Trying to figure out if I have a virus... (PC) Lic. Jose Anaya P. (joanaya@academ01.mty.itesm.mx) wrote: : michael@karlsberg.usask.ca (Michael Craggs) wrote: : > Quote begins : However, whenever I exit Windows, my disk drive accesses : for approximately 2 minutes. I tried removing smartdrv, : the swap file, wiping clean win.ini and system.ini and : also scanning and defragmenting the hard drive, but nothing : seems to affect it. : > Quote ends. Windows might also be trying to re-initialize the mouse. ------------------------------ Date: Thu, 27 Apr 95 13:54:00 -0400 From: moy@xp.psych.nyu.edu.Bicycle.Repairman (;^) Subject: Re: Software to archive boot sector viruses? (PC) Hi All, There is probably a typo there. The sector length of DOS diskettes is 512 bytes (200h), so to save the whole sector image, the DEBUG script should read: L 100 0 0 1 rcx 200 n drive_a.boo w q Obviously, use a clean system to do this. Moy Wong (moy@xp.psych.nyu.edu) Dept. of Psychology, New York University bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >However, if indeed all you want is to copy the boot sector of a floppy >to a file, you can do it with DEBUG. Create a text file, say >"debug.scr", with the following contents: > >L 100 0 0 1 >rcx >100 ^^^should be 200 for the whole sector >n drive_a.boo >w >q ------------------------------ Date: Thu, 27 Apr 95 13:56:00 -0400 From: e9025064@student.tuwien.ac.at (Gerald Pfeifer) Subject: Re: Which virus scanner is best? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >You should better get a good scanner - AVP, F-Prot, TbScan are among >the best. I'll second this. > You should also get a good integrity checker. Unfortunately >finding a really good one is not easy. You could try Integrity Master, >VDS, or ADInf. They still leave a lot to desire [...] What does Integrity Master leave to desire? Any security wholes? The only things I'd like to see are: *) an improved user interface (functionality is OK) *) perhaps an optional database instead of one file per directory *) a Windows 95 and a NT version Ciao, Gerald - ----------------------------------------------------------------------------- Gerald Pfeifer (Jerry) Vienna University of Technology . e9025064@student.tuwien.ac.at http://fbma.tuwien.ac.at/~e9025064/ . ------------------------------ Date: Thu, 27 Apr 95 11:25:01 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: NATAS? (PC) 1 writes: >From: 1 >Subject: NATAS? (PC) >Date: 26 Apr 1995 10:37:59 -0000 >i think i have a boot virus called NATAS or something like that. can you >get this type of virus by copying a file to the >infectected >computer? Yes, but you need to execute the virus for it to infect anything else. (It is a boot infector and a program infector, so it is pretty easy to execute it) >as you can see i am having problems just writing this message. what can i do >to detect and clean this damn virus? HELP! (1) Get an up to date scanner. This may be tricky because your computer may well be infected. In other words, you may need to get the scanner from someone elses (clean) computer. (2) Back up anything you are emotionally attached to. (3) Boot clean. (4) Remove the virus. Good luck. Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus System ------------------------------ Date: Thu, 27 Apr 95 16:34:01 -0400 From: cschweiter@lightside.com (Grafix) Subject: Re: Advise on virus software (PC) mhsacks@mail.med.cornell.edu (Michael Sacks) wrote: >I would appreciate help on the selection of an antivirus software. From >reading the newsgroup it seems that NAV, MMcfee and Solomon are the >most preferred. Is there any consencus? All opinions are welcome. I have found McAffe to be the absolute best when it comes to detecting viruses. As for REMOVING them, well, that's another story. ------------------------------ Date: Thu, 27 Apr 95 17:53:04 -0400 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: Invircible (PC) Mr. Casas: I am completely independent, and I say that IV isn't as good as it should be. Why is this? Simple. IV isn't as good as you and Zvi portray. I have no monetary interest in IV or any other A-V product. I recommend several A-V programs. I would recommend IV if it actualy worked as advertized! Bill bill.lambdin@woodybbs.com 9CCD47F3C765CA33 blambdin@aol.com PGP fingerprints C77D698B260CF808 - --- * CMPQwk 1.4 #1255 * BIBLEPR.ZIP distributed to BBSs is a trojan. ------------------------------ Date: Thu, 27 Apr 95 17:54:53 -0400 From: jroberts@ux4.cso.uiuc.edu (Jason Robertson) Subject: Re: LILO and the MBR...please help (PC) wrote: >elk@cb.att.com (nd33023d0-Ed King(CB2004)000) writes: >>Can someone please tell me how to rewrite the MBR on a hard drive >>to what it *should* be? > >Have you tried to use FDISK to recreate the partition(s)? That might >do the trick for you. Otherwise, if Linux is still on the hdd, re-run >the Lilo setup, telling it to default to the DOS partition at boot >time. Running fdisk /mbr will indeed get rid of LILO if you installed it on the mbr. - -- PGPkey = finger jroberts@ux4.cso.uiuc.edu Email = jroberts@uiuc.edu ------------------------------ Date: Thu, 27 Apr 95 17:48:15 -0400 From: Russ Rowen Subject: Pathogen/Queeg (PC) I seem to have this virus on a .com file in Large Print for Dos Software (original disks). I can find no information about it. The NAV 3.0 TSR detected it when attempting to load the com file, but when I run a scan of the Hard Drive it does not find it. The TSR is unable to kill it. Can anyone help? What damage can it do, and how can I remove it? Thanks. ------------------------------ Date: Thu, 27 Apr 95 16:42:04 -0400 From: BENEDICT@VAX.CS.HSCSYR.EDU Subject: VSafe & WFWG (PC) VSafe (with DOS 6.2, for what it's worth) and the Program Manager in Windows for Workgroups 3.1.1 seem to be incompatable. At any rate I can't get both to run at the same time, and starting WFWG then running VSAFE from the DOS command gives only ugly results. The reverse sequence won't let Windows start. Is there a solution? Or do I need to find a new antivirus solution before I continue migrating? Paul DeBenedictis, Manager Student Computing Services SUNY Health Science Center at Syracuse ------------------------------ Date: Thu, 27 Apr 95 16:33:36 -0400 From: cschweiter@lightside.com (Grafix) Subject: Re: Report and Remedy req: $#@$! virus (PC) wmono@Direct.CA (William Ono) wrote: >******)))))) Please FOLLOWUP to this article as my email >box is nonfunctional at this point in time! ((((((****** >... >- - MBR keeps changing >... >- - FDISK/FORMAT >- - Drained CMOS again >- - Copied a new boot disk with necessary software, then booted with it >- - FDISK'ed and FORMAT'ed. > >And here I am now. I'm writing this on my Mac, because as you may be able >to tell, my PC is out of commission. If anyone is able to lend me a hand, FDISKing will not remove a virus that resides in the MBR. To truly wipe the drive, you can low-level format it. I use a program called DrivePro to do it, although normally I use the "Erase first 10 cylinders" option instead of low-level formatting it, unless the drive is REALLY screwed up. If you don't have access to this kind of software, you can use the format utility in your BIOS. Just make sure to pick 1:1 interleave, or your drive will crawl when you're finished with it. ------------------------------ Date: Thu, 27 Apr 95 15:54:59 -0400 From: "HAGWOOD.BILLY" Subject: Epbr Virus (PC) A University Faculty recently returned from Tansania with his Toshiba Laptop (Toshiba Satellite T1960CS w/ DOS 6.2) infect with a virus f-prot identifies as "Epbr" but cannot disinfect. Any info on potential damage or disinfecting? _______________________________________________ Billy Hagwood Computer Consultant IV ISD-End User Services University of North Carolina Hospitals Chapel Hill, North Carolina, USA BHAGWOOD.ISD2@MAIL.UNCH.UNC.EDU _______________________________________________ ------------------------------ Date: Thu, 27 Apr 95 16:36:13 -0400 From: "David M. Chess" Subject: Re: Flash ROM virus questions (PC) > Moderator's note: Can anyone validate this claim? Don't most Flash > BIOSes require the user to set a jumper on the motherboard in order to > be able to write to the BIOS? I know mine does - an ASUS SP3G w/ > Award BIOS. There are no standards of any kind in the FLASH ROM area; some require a physical something (less convenient more secure), others don't. Every chipset requires a different protocol and a different program to update it. That's good from the anti-virus point of view, but like Security Through Obscurity in general it's unlikely to last: there will probably be standards eventually... The particular FLASH-infecting virus in the VLAD "magazine" certainly won't work (for one thing, it requires a large block of zeros in the BIOS, and there's almost certainly not one there; for another thing, the author admits he's never actually tested it, and your typical K00L 3L1T3 virus writer doesn't write code that works on the first try!). - - -- - David M. Chess | Contains small parts; High Integrity Computing Lab | not recommended for children IBM Watson Research | under 3 years of age ------------------------------ Date: 27 Apr 95 20:14:21 -0500 From: pletcgm@wkuvx1.wku.edu (G. Michael Pletcher) Subject: Are Norton Antivirus upgrades on the internet? (PC) Are the Norton Antivirus upgrades available anywhere on the internet? I know that I can get them through the Norton Antivirus Forum on Compuserve each month. Thanks ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 46] *****************************************