VIRUS-L Digest Thursday, 11 May 1995 Volume 8 : Issue 52 Today's Topics: Virus Alert on Net (PC) Re: Butthead Virus solutions (PC) Big Caibua virus alert on net - (PC) Effects of Viruses to Organizations Evals of AV customer service Re: More on "mail" virals and "Good Times" Snooping Viruses Tired of bogus virus scares Welcome-B virus...Clean? (PC) Whisper.Tai-pan (PC) HELP! Need tbav625.zip (Dos) !!! (PC) Re: Win-32-bit access (PC) Re: erkl virus?? (PC) Re: AVP and ZIP files (PC) Re: Here's info on new(?) virus "Havoc ][". Discussion Welcome. (PC) Risky Business virus?(PC) Re: Anyone heard of this virus??? (PC) Re: Does this sound like a virus? (PC) Gneb (PC) Help: Attacked by Monkey A and Stoned (PC) McAfee Vshield 2.2.221 doesn't protect againt tequila_and_beer (PC) mcafee VSHIELD (PC) Re: Shareware - registered vs. not registered (PC) FDISK /MBR Question (PC) Re: Anti-virus hardware + Artificial life? (PC) dh2 virus (PC) Scanners getting slower (benchmarks) (PC) Mercedes-E marketing spreads virus (PC) Re: Million Dollar Virus (PC) B1-NYB is killing my disk files - (PC) Re: Urkel (PC) NYB Virus? (PC) Re: Update Signatures for MS-AV? (PC) Pathogen/Queeg (PC) Re: Anyone heard of this virus??? (PC) Pepper virus (PC) Re: AOL Virus, a New Take? (PC) Re: Copying a boot sector to a file (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 09 May 95 12:51:13 -0400 From: nhirsch@nha.com (Norman Hirsch) Subject: Virus Alert on Net (PC) There is a virus that is currently available via Internet that you should be careful since it is not detectable by current anti-virus scanners. I received two samples of the "Big Caibua" virus on Friday from a user whose machine was totally infected in Ontario, Canada. The naming I chose is due to the words that appear when the virus shows itself (see description below). It took a few days to see the actual "penis" run across the screen but it did infect a machine here. The virus infects COM and .EXE files whether they are write protected or not. With the exception of finding virus-like indications by TBAV in high hueristics mode and AVP in high reliability mode, it is undetected by the most current versions of McAfee, F-PROT Professional, Dr. Solomon, Sophos, TBAV, AVP, NAV. I send the samples of the virus out to everyone above today. McAfee and IBM already have received samples of the virus and IBM already responded with preliminary information on the virus (see below). - - --------------------------------- Subject: URGENT! NEW VIRUS ALERT! Author: owner-pc-telephony@netcom.com at unixgtwy Date: 5/8/95 10:55 PM >From Richard De A'Morelli, Editor, PC-Telephony URGENT!!! VIRUS ALERT!!! Please read carefully -- this is not a prank. A new virus has appeared on the Internet. It infected all eight of my networked PC's, and I have spent the past 72 hours trying to figure this thing out and get rid of it. (no sleep, really tired, excuse the typos). I have managed to disinfect my network, and this letter explains what I have learned about this virus and how it works. During the past week, I downloaded 10-12 from three very popular Internet sites and one busy BBS (6 or 7 of those files came from a Simtel mirror). I can say that the virus originated from one of those files. It is therefore an imminent threat to the Net community. Here is how the virus works... At about 5pm, a dumb-looking sprite (ASCII graphic) of a phallus appears at the bottom of the screen, scrolling slowly from the left. (about 6 columns wide, maybe 8 rows high) It stops at the center of the screen, beeps over and over, and then "shoots" an "!" up the screen in slow motion, beeping loudly all the while (damned annoying); this repeats three times, and then the graphic scrolls to the right and disappears off the screen. Immediately below the drawing appears the words "Big Caibua!" whatever the hell that means. This happens more and more often as you are working. Then, mysteriously, it stops -- until the next evening. By setting my system clock to 9pm, I was able to stop the stupid graphic from appearing (however, the virus was continuing to replicate in the background). Here is what I have learned about this virus, which I've named BUTTHEAD in honor of the juvenile jackass that wrote it... It is evidently NEW. During the past 72 hours, I tried at least a dozen different anti-virus programs, including McAfee's latest, IBM, ThunderByte, etc -- ALL FAILED TO DETECT THIS VIRUS. In addition, the BBS canning programs do not detect this virus. I upload a zip'ed file containing this virus to the IBM Anti-Virus BBS this morning (with their knowledge and consent of course), and their BBS scanned it and accepted it as being fine. Until a disinfectant for this becomes from McAfee and others, DO NOT ASSUME THAT FILES ARE SAFE SIMPLY BECAUSE YOUR LOCAL BBS IS RUNNING AN ANTI-VIRUS SCAN PROGRAM! BUTTHEAD affects *ONLY* .COM files. It does not seem to affect the hard disk boot sector and it does not reside in memory. It is extremely dangerous, however, because simply running one infect .COM file will cause ALL OTHER COM files in that directory to become infected. Running any of those files will then infect all .COM files in the next directory, and on and on. nearly 200 files all across my network were infected within minutes. Also important -- the stupid animation only runs at 5pm and stops after a few hours -- but the virus keeps right on working and infecting other .COM files regardless of the time. How to spot an infected .COM file... (1) It will be 2,280 or 2,285 bytes LARGER than the clean file started out. (2) The FIRST CHARACTER in the file will be an ASCII 231. (3) The 2K-plus packet that contains the virus is tacked on at the end of your infected .COM file. All infected files will contain the same unique "signature" or character sequence within those last bytes -- "NGiK" If you use a file searcher program, you will find this same signature can also be found in a .ZIP file that contains an infected .COM file. I scanned close to 20,000 files on eight machines and that character sequence turned up in 178 .COM files -- all infected. It did NOT appear in the any other file. (Note that case-sensitive does matter -- "ngik" will appear in some .WAV files is not a virus; "NGiK" is the character grouping to watch out for. What to do if this virus infects your machine... I have contacted IBM and McAfee about BUTTHEAD and I am sure that they will have disinfectants for this virus shortly. Until then, DO NOT RUN ANY .COM FILES AT ALL. This thing spreads quickly, and you will infect all other .COM files wherever you go. I was able to run .EXE files, how- ever, with no problem, and without infecting any other files. BE CAREFUL downloading files from Internet and other BBS sources. As I mentioned, the BBS scanning programs are NOT catching this virus at the present time. If you do find this annoying virus on your system... I was able to completely purge BUTTHEAD off my network using a text searching utility to find the infected files and then replacing them with clean files -- I will put this utility and some instructions in my FTP directory if anyone needs it -- after I get some sleep -- 72 hours non-stop of this is enough. Richard De A'Morelli - - ------------------ From: "David M. Chess" To: nhirsch@nha.com Subject: Bua-2263 X-UIDL: 800033916.000 This is a relatively unsophisticated virus, of a kind that doesn't normally spread very well in the wild. My strong suspicion is that it was planted somewhere by the author in the last couple of weeks (perhaps in a program uploaded to a popular BBS or Internet software repository), and the couple of reports we've seen have both been from people who were infected directly by the program that the author planted. Since the virus begins to display its very obvious payload on May 5, 1995, it's unlikely that it will spread any further without being immediately detected, so I suspect we will not have any long-term problems with it. It is a non-resident infector of *.COM files in the current directory and on the PATH. If the date is May 5, 1995 or after, and the time is between 3pm and 7pm, it will display a distinctive phallic screen effect. Also at these times, it will check an internal counter, and if the value in the counter is high enough, it will execute various damage routines. These damage routines include the creation of directories with obscene names, the erasing of the first file in the current directory on the default drive, and damaging the data on the C: drive by overwriting the system boot record, FATs, and other system areas. The value of the counter in the samples that we have seen is considerably lower than the trigger value for these damage effects, and if the virus goes extinct quickly (as is likely), it may never get a chance to do its damage. The virus contains, in trivially-encrypted form, a long rant, typical of the low-end virus-writing scene, with many obscenities and references to virus writers and anti-virus people. The internal counter used by the virus as a damage trigger is also used as the number of bytes to add to infected files. The virus's actual length is approximately 2263 bytes; the damage routines are not invoked until the counter reaches the value 2296. The following signature may be put into a file called ADDENDA.LST in the IBMAV directory to enable IBMAV to detect this virus: 51BE01018B1481C2F7058BF2FC90E88908 %s the Bua-2263 %s (COM. Mismatches=01.) - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research - - --- Norman Hirsch Phone: 212-304-9660 NH&A Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@nha.com ------------------------------ Date: Wed, 10 May 95 23:03:08 -0400 From: nhirsch@nha.com (Norman Hirsch) Subject: Re: Butthead Virus solutions (PC) The following Anti-virus developers have acted very quickly in providing immediate solutions for the new virus BUTTHEAD, AKA "Big Caibua", Bua, Bua-2263, Vienna.2279, Big Caibua.2275. Thanks to them for providing the information below. This information was obtained in less than 24 hours time from receipt of the samples. Undoubtedly this was much less time than the time it took the writer of the virus to create it. Most of the methods provided were tested and all that were tested were successful. IBM's IBMAV: virus is identified: Bua-2263 The following signature may be put into a file called ADDENDA.LST in the IBMAV directory to enable IBMAV to detect this virus: 51BE01018B1481C2F7058BF2FC90E88908 %s the Bua-2263 %s (COM. Mismatches=01.) contact IBM if you are a paid customer for removal capability Central Command's AVP: virus is identified: Vienna.2279 (varient of Vienna virus) Immediate: one can obtain the updated .AVB (VIENNA.ZIP) file and place it the AVP22 sub-directory and edit the AVP.SET file to include the new Antivirus base file. Also include Vienna.TXT file in the same directory. Future: Detection and cleaning of this virus will be included in normal weekly update. If your need help, call Keith at 216-273-5743 NetZ's InVircible: Immediate and future: virus can be detected and cleaned by following a series of steps posted elsewhere using current versions. NetZ also provided string that can be used by other scanners which was extracted automatically by IVX, the hyper-correlator of IV. Hex signature for "Big Caibua": 7E 4F E9 5B 45 8F 46 54 25 63 contact: netz@actcom.co.il for further information. Dr. Solomon's Toolkit: Immediate: infections of the virus can be detected and cleaned by obtaining a driver CAIBUA.DRV from Dr. Solomon's BBS and using the command: FINDVIRU /EXTRA=CAIBUA.DRV /REPAIR Future: will be included in updates/revisions virus was identified: Big Caibua.2275 virus Command Software's F-PROT Professional: Immediate: special version of F-PROT was created, filename FP-217E.ZIP virus detected and removed successfully. Future: will be included in updates/revisions virus is identified: Bua Sophos SWEEP: Immediate: detection string was provided to use to detect virus in a filename Sophos.IDE as follows: 2eab 1abb 8c78 ff3e 9eab e012 fbe3 05c0 abb9 4283 85f8 34d7 44b8 ef20 a5a1 143a 44a7 cf63 3454 1437 44a1 2f09 f12c 12f5 Copy to SWEEP directory and run sweep. virus is identified: Bua McAfee's VirusSCAN Immediate: detection string was provided to use utility EXTDAT to add string to detection capability. Future: detection and removal capability will be provided in future versions. detection string for use with EXTDAT. 'EB9051BE8B818BFC90E8D855BBA217390E88074A7FEDA913262CA892CAAFE1' Bau.2263 virus is identified: Bua-2263 Additionally: TBAV sample sent to ESSAS for evaluation. NAV sample sent for evaluation Please contact me via e-mail if you need immediate assistance. - --- Norman Hirsch Phone: 212-304-9660 NH&A Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@nha.com ------------------------------ Date: Wed, 10 May 95 13:05:50 -0400 From: netz@actcom.co.il (Zvi Netiv) Subject: Big Caibua virus alert on net - (PC) -=> Quoting Nhirsch@nha.com (Norman Hirsch) to All <=- Nh> There is a virus that is currently available via Internet that you Nh> should be careful since it is not detectable by current anti-virus Nh> scanners. ================================================================ Big Caibua Virus, Information Sheet: From NetZ Computing, Israel ================================================================ How to detect, how to remove. > Subject: URGENT! NEW VIRUS ALERT! > Author: owner-pc-telephony@netcom.com at unixgtwy > Date: 5/8/95 10:55 PM > From Richard De A'Morelli, Editor, PC-Telephony > > Please read carefully -- this is not a prank. A new virus > has appeared on the Internet. It infected all eight of my > networked PC's, and I have spent the past 72 hours trying > to figure this thing out and get rid of it. (no sleep, > really tired, excuse the typos). I have managed to disinfect > my network, and this letter explains what I have learned about > this virus and how it works. > > During the past week, I downloaded 10-12 from three very popular > Internet sites and one busy BBS (6 or 7 of those files came from > a Simtel mirror). I can say that the virus originated from one > of those files. It is therefore an imminent threat to the Net > community. Caibua is a direct action virus (not memory resident) that infects COM files only. Its size is from 2270 bytes and it increases gradually with further infections. Every time an infected file is executed, Caibua infects two more COM files, first in the current directory, then in the search PATH of DOS. Caibua does not infect the COMMAND.COM. Destructive routines were found in the virus code. Among them: The formatting of track zero, delete the first file in a directory, create sub-directories with obscene names, and random corruption of data. The destructive routines are triggered when a counter value in the virus code reaches a given threshold. Starting at 15:00 PM, when executing an infected file, Caibua will start it's phallic screen animation. The virus manifests its presence quite visibly. Since Caibua discloses itself so easily, it will probably never become common or widespread. This is the "Survival of the Fittest" rule in computer's virology. :-) Caibua is easily detected and removed by InVircible. No changes are required in InVircible to detect and clean this virus. Detection with InVircible. ========================== Since Caibua isn't memory resident then it doesn't trigger any of IV's baits. Yet the changes in files' size are immediately disclosed by either the daily IVB check or at boot time, if it already infected a COM file in the root directory. Removing Caibua. ================ First check all drives with IVB. COM files that increased in size by about 22xx bytes are infected by the virus. Since the virus is not memory resident, then it can be removed without needing a clean boot. Yet it's good practice to boot clean from your IV rescue floppy to recover your files. Use the "restore" function of IVB, from the main menu (or IVB C: /R from the command line). IMPORTANT: Before proceeding with the recovery, save a copy of an infected file on a floppy. You will need it later for identifying the source of infection, with the correlator, or for cleaning machines (and file servers) that were not secured with InVircible. When done with the recovery with IVB, check whether there are more infected files that weren't secured, by using the IVX correlator. Caibua is a simple, plain virus (the virus code is encrypted, yet it uses the same algorithm in all copies). IVX will correlate the infected files with a steady similarity factor of 84%. The IVX bar-graph of Caibua is typical and easily recognizable. Run IVX as follows (or just run IVX and use the interactive dialogue box): IVX drive_to_search:\ Set the detection threshold to 83% (to avoid false alarms) and start a first run without renaming the infected files, just to assess the extent of the infection. On the next run, select the "rename" option and all the infected files will be renamed with an *.IVC extension (for COM files). You can print the report (PRINT drive:\IVX.RPT) to list the files that need to be replaced. If you had InVircible installed and IVB DAILY running in your autoexec, then the above should not take more than five minutes, and you have also spotted the source of the infection. Cleaning a virgin machine. ========================== As explained, Caibua manifests its presence quite loudly. On machines without previous InVircible installation, the cleaning constitutes in just spotting the infected files and replacing them. This is easiest done with the IVX correlator. Spot one infected file (or use the sample saved). Obviously, this is the COM file bearing the name of the program that you just executed when the Caibua show on screen started. Correlate as above, with the rename option set ON. With InVircible installed before being hit, you'll need to replace only a couple of files at the most. Cleaning a file server. ======================= Disconnect all logged workstations. Clean first the workstation from which you log in (or log after booting from a known clean floppy). Proceed on the file server exactly as described above: If InVircible was installed and run regularly on the server files, then use IVB /R network_drive:\ and then spot the infected files that were not secured with IVX (same as above). If the server wasn't secured with IVB, then you can use IVX and replace the infected files, after renaming them with IVX. Don't forget to log in with supervisor's rights. Clean every workstation that has a hard disk, before allowing its logging back to the network. The whole task, above, shouldn't take more than an hour. Read appendix A in InVircible's manual how to handle networks with IV and how to secure all workstations from the server. Note: All files restored from Caibua by IVB are perfectly restored to the byte and to the original time stamp! There is no need to replace them as they are as good as new. Scan string: ============ The following signature was automatically extracted by IVX for Caibua and can be used to scan with AV products that accept user defined signatures: 7E 4F E9 5B 45 8F 46 54 25 63 Note: InVircible does not use scan strings, and IVX is a statistical correlator, not a signatures' string extractor. The above is just a by product of IVX working and brought as such. Summary. ======== Caibua is a typical example how InVircible can be used to rapidly solve NEW virus problems. Regards, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il netz@InVircible.com CompuServe 'GO InVircible' Author's: ftp.datasrv.co.il/pub/usr/netz/ Anonymous ftp: InVircible.com - ------------------------------------------------------------------------- ------------------------------ Date: Wed, 10 May 95 06:23:11 -0400 From: hwic22@uow.edu.au (HEI WAH IVY CHU) Subject: Effects of Viruses to Organizations Dear viewers, I am doing a research on the topic of "Effects of Computer Viruses to Organizations". I have explored into quite a number of journals (computing and business ones), unfortunately, I am not able to locate typical information related to the damages in monetary terms, working hours losses, and any other assocaited impacts. I need help in finding information on these, if anyone has any idea of where I can get this information from, please let me know. Thanks ------------------------------ Date: Wed, 10 May 95 06:26:54 -0400 From: G Martin Subject: Evals of AV customer service I've seen several formal and informal evaluations of various anti-virus products, but so far I've seen almost nothing in the way of how good each companies customer service was before and after the sale. I'm especially interested in learning more about how helpful companies were when their hotlines were called by people who needed help resolving virus problems. How did they rank in these areas for instance: 1. Were they available when you needed them? Do they even have a hotline? 2. If they're based out of the US, did they have support you could contact in the US? 3. How helpful was the advice they gave? Were they knowledgable? 4. If data was lost due to a virus, were they able to help you recover it? 5. Were they courteous? 6. Was there a toll-free number to call? If not, did they keep you on hold a long time? 7. Did they explain in terms you could understand exactly how your particular virus does it's damage, and what triggers it? 8. Did their product do the job of removing it? 9. Do they have an in-house virus lab for analyzing unknown viruses if such a service is needed? I am interested in learning about formal evaluations, and anyone's individual experiences. I had a recent experience myself with McAfee hotline I'll share later when I get time to type it up. Gary Martin gmartin@FREENET.COLUMBUS.OH.US ------------------------------ Date: Wed, 10 May 95 11:29:30 -0400 From: Christian.J.Reichetzeder@VM.AKH-WIEN.AC.AT Subject: Re: More on "mail" virals and "Good Times" On Tue, 09 May 1995 16:51:23 -0400 Rob Slade said: > =C4...=DC The CHRIS= TMA EXEC >worm was text, contained in an email message. However, the VM systems= which >it targetted had REXX interpretters associated with the mail system, s= o REXX >source code, which was text, was able to be "run" as a program. That's pretty wrong on several places. CHRISTMA EXEC wasn NOT sent as = mail and EXEC is the filetype (extension, whatever, ...) of an interpret= able file - similar to the .bat extension. It was clearly sent as an execut= able and the problems came because people executed it blindly - they *had* t= o do this deliberately, it didn't even "sneak in". People looked at the ini= tial comments where it said "please execute me" and they did. That's = all. There's nothing in VM (or better: CMS) which "associates" some interpr= eter to some text and even sneaking in something is hard because the user ha= s to lower all shields which are usually up before this can happen. Christian ------------------------------ Date: Wed, 10 May 95 13:26:05 -0400 From: ess@netcom.com (Eric Swildens) Subject: Snooping Viruses A number of companies are working on secure communications for doing Internet business with the idea that they can make their products fully secure by using an unbreakable (computationally infeasible) algorithm. This requires a secure machine to do the encryption and it seems many are assuming that peoples machines at home are secure. An Internet-aware virus would have the ability to invade your privacy as well as destroying your data. I haven't seen one of these for PC's yet, but I can fully imagine them being created since these type of viruses would be able to steal credit card numbers, etc. instead of just corrupting data. One could be crafted to infect specific WEB browsers found on a system for example. Just a thought. ESS ------------------------------ Date: Wed, 10 May 95 15:50:46 -0400 From: Iolo Davidson Subject: Tired of bogus virus scares Dolson@scottsvy-msm.sv.gpsemi.COM "H. David Olson" writes: > In the last three years I have had the fun and fortune to play > administrator and tech for various companies. Almost every company with > E-Mail get the same message passed through the system. "Watch out for the > (insert latest name) message it a a virus that is passed as an E-Mail > message and just opening it will infect your machine" The bogus "Good Times" virus warning was printed as a serious alert in the Guardian, a British national daily newspaper, at the beginning of May. They must have caught it on its third circuit, after two rounds of expert debunking. It can be seen from this that is impossible to get anyone to pay any attention to the unexciting truth when the rumours are so sexy. - -- POLITICAL PULL FOR RAZOR PULL MAY BE THERE'S NO EXCUSE OF USE Burma-Shave ------------------------------ Date: Tue, 09 May 95 18:47:39 -0400 From: holliday@unixg.ubc.ca (Brent Holliday) Subject: Welcome-B virus...Clean? (PC) I have the WelcomeB virus according to Mcafee's latest (04/15/95) virus checker. It says that it can't clean it, though. I found no more updates at Mcafee's FTP. How do I get it cleaned? Thanks. Please e-mail my reponse as I am not on the listserv. ________________________________________________________ Brent Holliday, Propeller Head Consulting X:-) holliday@unixg.ubc.ca "The best thing that you've ever done for me is to help me take life less seriously.... it's only life after all" ------------------------------ Date: Tue, 09 May 95 19:30:57 -0400 From: Steve Toth <75563.3546@CompuServe.COM> Subject: Whisper.Tai-pan (PC) I have just been hit with whisper.tai-pan, it got to a bunch of my DOS executables. I was using Mcafee and it couldn't clean some of the files, It says they can be clean whats up?? E-MAIL me ------------------------------ Date: Tue, 09 May 95 19:49:49 -0400 From: stukenbr@Info.UCLA.EDU (guest) Subject: HELP! Need tbav625.zip (Dos) !!! (PC) Hello there, I am desperately searching for TB Antivirus 6.25 (I need exactly that version!). I caught a Stoned.Empire.Monkey virus and it screwed up my partition table, I can't access the harddisk anymore. Well, I thought, I might be able to fix that since I made a backup of the system informations with TBUtil and after getting me the newest version of tbav (6.34) I tried to restore this data. But TBUtil just complains, that my datafile was created with another version and I would need that version - I don't have it anymore. But without it my harddisk is gone. So please, anyone out there knows where I can get either tbav625.zip or at least the files tbutil.exe and tbutil.lng of that version? Anyone who could mail it to me? PLEEEASE, I am pretty desperate out here and would be extremely grateful for any help... Thanks! BTW: I know that there is a way to remove bootviruses with fdisk /mbr, I tried that already and actually that's the way I really made my disk unaccessable - so I need to get my old partition table on again. Any help is highly appreciated at: Kai Stukenbrock Thanks! ------------------------------ Date: Tue, 09 May 95 19:51:52 -0400 From: simonb@melbpc.org.au (Simon Basterield) Subject: Re: Win-32-bit access (PC) I had a problem recently with Windows 32-bit disk access refusing to start on a PC. Using Dr Solomon's AVTK v7.00, I tracked down and successfully removed Wonka virus that was infecting the hard disk partition. ,-._|\ Simon Basterfield / Oz \ Member, Melbourne PC User Group \_,--.x/ Melbourne v AUSTRALIA ------------------------------ Date: Tue, 09 May 95 20:23:22 -0400 From: Keith@slip.netcom.com Subject: Re: erkl virus?? (PC) writes: > A friend of mine claims he has a virus called "Erkl" or Erkle" or > smoething that sounds like that. I don't seem to have any references > that mention it. Anyone know something? Actually it's URKEL and it's in the wild in the eastern US. AntiViral Toolkit Pro (AVP) 2.2 with at least the 4/28/95 update can find and clean this virus. Keith Central Command Inc. ------------------------------ Date: Tue, 09 May 95 20:19:04 -0400 From: Keith@slip.netcom.com Subject: Re: AVP and ZIP files (PC) writes: > sdeluty@mcan00.med.nyu.edu writes > > >Could somebody PLEASE post the exact and correct address for accessing > >a copy of this program. > > I have seen AVP on oak.oakland.edu FTP site. > > >Does anyone know for a fact if this program can really detect viruses > >within zip files. > > Yes. AVP can be configured to scan inside of .ZIP and .ARJ archives. AVP > doesn't handle encrypted archives yet. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Mr. Lambdin: I do not know of *any* virus scanner or any AV utility that can virus scan within a encrypted ZIP or ARJ archive. Your statement sounds like there is some product that can. If you know of one please let me know. :-) Sincerely, Keith A. Peer CENTRAL COMMAND INC. ------------------------------ Date: Tue, 09 May 95 20:24:30 -0400 From: Keith@slip.netcom.com Subject: Re: Here's info on new(?) virus "Havoc ][". Discussion Welcome. (PC) > We are a Toshiba Premier Service center in Dallas. I've had 2 machines > on my bench this week that are infected with the "havoc][" virus. > Machines exibit the symtoms already mentioned here. When booted from > clean floppy, the hdd is not accessable. Fdisk reports a single non-dos > partition. If you use a diskeditor such as norton's and choose physical > drive rather than logical drive, you can do a "find" for the text string > "havoc". On several floppies that I "test infected", you can use the > same utility to view the disk. The apparant beginning of the virus code > can be found at cluster 2483. At this location you find the text string > "havoc][". Just below this location you will find the (relocated) boot > sector. I've fed x'd an infected diskette to McCafee this afternoon, and > hope to hear something back shortly. AntiViral Toolkit Pro version 2.2 with update 4/28/95 can find and clean this virus for you! This virus is in the wild in the US. You can get a evaluation copy of AVP from ftp.netcom.com pub/ka/kapeer Keith Peer Central Command Inc. ------------------------------ Date: Tue, 09 May 95 21:17:33 -0400 From: p.chapman@info.curtin.edu.au (Peter Chapman) Subject: Risky Business virus?(PC) We have had two separate incidences of virus-like behaviour on two separate PC's. Both occurred in Windows (TM) and involved the screen displaying rubbish (random characters and colours) before exitting to DOS. In one incident a message was displayed saying: "You've been up to Risky Business" before exitting to DOS. In the other case no message was noticed (which doesn't necessarily mean that there wasn't one). These machines are connected to our LAN and files are transfer between them often. I cannot find any reference to a "Risky Business" virus in the FAQ or in any of the virus lists (McAfee, F-prot, MSAV), mind you some of them are pretty old (age>12 months). Is this a recognized virus and if so what is the fix. Please not that the description of these symptoms is second hand (it didn't happen to me) and is perhaps not exact. advTHANKSance, Chappy. ------------------------------ Date: Wed, 10 May 95 00:10:19 -0400 From: sullivan@immuno.imvs.sa.gov.au Subject: Re: Anyone heard of this virus??? (PC) Neal wrote >When I print through DOS on my HP everything works fine. BUT, when I print >through windows, the true type fonts print little marks all over the paper. >They kindaa resemble bar codes. The regular (not true type, forgot the name) >fonts print fine. Is this a virus?? If anyone has experienced this or can I have had a similar problem after installing a new printer driver. You have two options: 1) Reinstall the Universal Printer Driver, (the name escapes me but something like hpdrv*.dll) from the windows diskettes. 2) Connect the HP, ftp-bio.external.hp.com, and down load the new drivers. Good Luck ------------------------------ Date: Wed, 10 May 95 00:58:14 -0400 From: Robert Conrow Subject: Re: Does this sound like a virus? (PC) Yes, this does sound like a virus. If this virus can't be found or cleaned after he boots from a known CLEAN DOS diskette then reformatting the Hard Drive probably won't be enough. When partition damage happens unless you can find a program that can fix the partition then the best thing to do is: - - boot from a clean DOS diskette - - run fdisk and delete the primary DOS partition - - reboot? - - run fdisk and create the primary DOS partion again - - format with the /s switch This is the only way I know to remove ALL damage from an infected ot damaged partion. Good Luck!! Rob ------------------------------ Date: Wed, 10 May 95 02:21:11 -0400 From: aa831@freenet.carleton.ca (Bijan Razavi) Subject: Gneb (PC) Last week my home computer got infected by a virus called Gneb which attacks boot sector, how none of my AV did mentioned it in their V list. This problem is still coming back very often. Does anybody knows how to get rid of it? Which AV will do the job? Thank you - -- ------------------------------ Date: Wed, 10 May 95 03:09:42 -0400 From: Otis INDEX Subject: Help: Attacked by Monkey A and Stoned (PC) Hello, Two of our PCs were infected by Monkey A and Stoned. We are running (were running) a Pentium 60 and an IBM 486 dx4/100 both with Win95 final beta and Mcafee antivirus software and somehow they snuck in. Any ideas on A) how to get rid of the viruses B) what antiviral software (or suites) is the best to prevent further problems C) any FAQs on these topics Any help is appreciated and if you could email as well as post, we would be eternally grateful. cheers, Gordon __________________________________________________ Otis INDEX http://www.interlog.com/~gordo/ gordo@interlog.com rklama@interlog.com ------------------------------ Date: Wed, 10 May 95 03:27:12 -0400 From: gkuijper@inter.nl.net (Gerrold Kuijpers) Subject: McAfee Vshield 2.2.221 doesn't protect againt tequila_and_beer (PC) L.S., When testing McAfee's Vshield product, I found out that the most recent version of this product. (Version 2.2.0 with 2.2.221 data files) does NOT protect againt the tequila_and_beer virus. I started a infected program, but Vshield didn't warn against the virus. The McAfee Vscan program detects it however. On rebooting my PC Vshield detects the virus and gives a warning ('warning TEQUILA.MBR found in memory....'), but apperantly not on executing an with tequilla infected program. I start Vshield first thing in my autoexec.bat file, with no options (so DEFAULT mode). Does anybody know if earlier versions of Vshield do wath they are supposed to do (protect my PC from getting infected!) Greetings, Gerrold Kuijpers ------------------------------ Date: Wed, 10 May 95 05:00:38 -0400 From: jamelia@isn.net (Joe Amelia) Subject: mcafee VSHIELD (PC) How do I remove mcafee VSHIELD?? [Moderator's note: Follow-ups by e-mail, please - not to the group.] ------------------------------ Date: Wed, 10 May 95 05:39:12 -0400 From: weissel@moon.ph-cip.uni-koeln.de (Wolfgang Weisselberg) Subject: Re: Shareware - registered vs. not registered (PC) "Lic. Jose Anaya P." (joanaya@academ01.mty.itesm.mx) wrote: [Make_a_fee is an evaluation copy] :->at your will unless you pay their price. F-PROT, on the other :->hand comes in two flavors: shareware and Professional, the :->latest being quite different from the shareware distributed :->counterpart, but also, in any case, none is for free, only the :->chance to test the product for a limited time is free. This is NOT correct. If you use F-Prot privately, not for business, then you are NOT required to register. The program-package states this quite clearly. So I guess you do not have F-Prot - Shareware. Now what are the tremendous differences between the shareware and the professional version? - - Wolfgang ------------------------------ Date: Wed, 10 May 95 08:38:02 -0400 From: ivory@netcom.com (Ivory Dragon) Subject: FDISK /MBR Question (PC) Got a call from someone with ANTIEXE in their MBR. I advised them to make a clean bootdisk, and copy FDISK to it, in order to rebuild the MBR. Question: Does the DOS version that the hard disk is running make any difference to the version of FDISK? ie. Can FDISK from MSDOS 6.23 be used on a hard drive running IBM DOS 3.3? Thanx, Ivory ------------------------------ Date: Wed, 10 May 95 08:38:08 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Anti-virus hardware + Artificial life? (PC) >_fairly_ reliable, but probably not _completely_ reliable. I think,for >example, that if a virus was to make calls directly to the BIOS, rather than >using the interrupt system, it would bypass it. uh...no, this is a part of the BIOS itself, so that wouldn't work. However, writing directly to the hardware would do the trick... - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Wed, 10 May 95 08:45:12 -0400 From: evanj@singnet.com.sg Subject: dh2 virus (PC) I have picked up a small utitlity in Jakarta, which can remove the dh2 virus, without damaging exe files. Where should I post it, for others to download? ------------------------------ Date: Wed, 10 May 95 09:59:25 -0400 From: petteri@pjoy.fi (Petteri Jarvinen) Subject: Scanners getting slower (benchmarks) (PC) I have done some testing using current and year old AV-programs. I want= ed to find out how much new viruses have hurt time required for scanning a clean machine. I used two different test machines, which were both clea= n (i.e. no viruses). Since Solomon and McAfee both check all DLL-files by= =20 default and F-PROT doesn=92t, I also calculated number of scanned files= per=20 second. =20 As we can see from figures below, all programs (except DOS-version of M= cAfee Scan,=20 due to a complete rewrite of the program) have become much slower. It n= ow takes about twice as long to scan a hard disk than it took a year ago. Twofol= d=20 increase in number of known viruses has also doubled time required for=20 scanning.=20 I find this trend alarming. If new viruses keep appearing at the curren= t pace,=20 sooner orlater these programs intolerably slow.=20 What could we do? Upgrade all PC=92s to Pentium level? Or forget all th= ose exotic "viruses", which have never been seen wild and exclude them from= the search? Or try some new kind of heuristic approach, which doesn=92t rel= y on search strings? Here are test results: Compaq 486/33, 540 Mt hard disk with many Windows-applications on disk SPRING 1994 SPRING 1995 time (s) files files per sec time (s) files files per sec DOS=09 F-PROT 44 575 13.1 77 575 7.5 McAfee 243 1251 5.1 167 1239 7.4 Solomon 59 1240 21.0 92 1305 14.2 WINDOWS F-PROT 93 567 6.1 McAfee 161 1239 7.7 Solomon 127 1305 10.3 IBM ThinkPad 340, 486SLC 25/50 MHz, 360 MB hard disk Some Windows- and DOS-applications on disk DOS=09 F-PROT 22 383 17.4 33 383 11.6 McAfee 79 509 6.4 59 497 8.4 Solomon 27 502 18.6 40 557 13.9 WINDOWS F-PROT 43 339 7.9 McAfee 50 498 10.0 Solomon 47 557 11.9 Versions used for testing: F-PROT 2.11 and 2.17 McAfee Scan v. 111 and 2.2.0 Solomon 6.60 and 7.10 Number of viruses known to each program: 1994 1995 F-PROT 1063 1584 (families) McAfee Scan 2738 5059 Solomon Findviru 3687 6006 Petteri J=E4rvinen, Finland e-mail: petteri@pjoy.fi http://www.pjoy.fi - ------------------------------------------------------- petteri@pjoy.fi www.pjoy.fi Petteri J=E4rvinen, Tekniikantie 12, 02150 ESPOO, FINLAND ------------------------------ Date: Wed, 10 May 95 12:05:09 -0400 From: Klaus Brunnstein Subject: Mercedes-E marketing spreads virus (PC) 2000 journalists recently received a diskette containing marketing information on Mercedes' new E-class cars. As hidden donation, this diskette contained also a virus of the Stoned family (Stoned.NoInt alias Stoned III alias Bloomington) which so far was not "in the wild" in Germany. After having been alarmed, Mercedes shipped 2,000 diskettes of a reliable AV product to the journalists. Many media reported this accident in Germany, claiming that "this virus is harmless". This is not fully untrue as the only intentional "damage" in this stealth variant of the Stoned family results in failures only with hi-density diskettes. It is also possible that unintended damage occurs in the directory structure. This virus attempts to hide the infected boot sector against de- tection by some AV product. Fortunately, the product choosen by Mercedes reliably detects Stoned.NoInt on diskettes and disks. Question remains open whether the adressed journalists tested and cleaned all diskettes and systems which had been in contact with the infected diskette; otherwise, Mercedes mar- keting may have a long-time impact on some Mercedes drivers' PC systems :-) Klaus Brunnstein (Univ.Hamburg, May 10, 1995) ------------------------------ Date: Wed, 10 May 95 12:36:02 -0400 From: Keith@slip.netcom.com Subject: Re: Million Dollar Virus (PC) writes: > An antii-virus program -InnocLan - has identified "The Million Dollar Virus" > running on one IBM PC on the network. It cannot clean the virus. The > sys.admin is not familiar with this virus. It has not spread to any other > workstations. No apparent damage has been done to the one infected PC. > > Can we use F-Prot to clean this virus? Are there any special precautions > needed? Any advice would be appreciated. Actually he probably has a Stoned variant "1000000" AVP versio 2.2 can clean this virus easily. You can ftp a evaluation copy from ftp.netcom.com pub/ka/kapeer see "0index.txt" for a file list Keith ------------------------------ Date: Wed, 10 May 95 12:58:25 -0400 From: netz@actcom.co.il (Zvi Netiv) Subject: B1-NYB is killing my disk files - (PC) -=> Quoting Altatech@xmission.xmissio to All <=- Al> NYB virus is killing my disk files. I've tried many of the shareware Al> virus detectors, and all they can do is remove it from the boot Al> sector, but they can't find the exe that keeps installing it back Al> in the boot sector. NYB isn't killing any of your disk files, it's just a simple boot (on floppies) and mbr infector. Once you removed it from the mbr, it's gone. Yet, there are a few possibilities how it could reinfect: - You still have it on some of your floppies, among them one that you boot from, occasionally. Cure: process all your floppies with FixBoot (available from one of the sites bellow). - You are using an out of date safe booting program, that backed up the infected mbr, and you are reinstalling the infected mbr on every booting. I saw it happening on quite many instances. Cure: stop using the (un)safe boot program or upgrade. - Do you use by any chance OS/2 BOOT MANAGER ? The latter swaps the mbr by reinstating a copy of the mbr, selecting the one that matches the OS you want to boot on. It's possible to have an infected copy of the DOS mbr in Boot Manager. Cure: boot from the hd on DOS and disinfect with ResQdisk's SeeThru ON (possible only with IDE drives) and reboot immediately. If the virus is back, then boot from a clean DOS floppy, disinfect with FDISK/MBR (check first that the hd is accessible) then reinstall Boot Manager. Good luck, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il netz@InVircible.com CompuServe 'GO InVircible' Author's: ftp.datasrv.co.il/pub/usr/netz/ Anonymous ftp: InVircible.com - ------------------------------------------------------------------------- ------------------------------ Date: Wed, 10 May 95 14:44:22 -0400 From: carrera_edgar@jpmorgan.com (Edgar Carrera (Intern),DMSG) Subject: Re: Urkel (PC) > Any suggestions for another line of attack Just run fdisk /MBR, it will clean the MBR but there is a chance that you lose all you data in the hard disk. What I did was the following: I went into BIOS setup and disabled the hard drive, to make the DOS installation program believe that I don't have a hard drive, that will create start up (CLEAN) disks. Then I had to go into BIOS and enable you hard drive, and boot from the clean floppy. Run fdisk /MBR and reboot it. ------------------------------ Date: Wed, 10 May 95 14:44:25 -0400 From: RCoda@aol.com Subject: NYB Virus? (PC) Hi: Have you ever heard of the NYB virus. McAfee 2.21 can't remove it, Norton doesn't even see it! Any help appreciated. Thanx, Rich Coda rcoda@aol.com 73700,2307@compuserve.com ------------------------------ Date: Wed, 10 May 95 16:09:33 -0400 From: "Marty L. Horn" Subject: Re: Update Signatures for MS-AV? (PC) "Bruce Breidfjord Dimon, Idaho Gold Wing" wrote: >Where can I get updated signatures for Microsoft's Anti-Virus? Thanks. Symantec now owns this. You can get the updates for DOS from: ftp://ftp.symantec.com/public/dos/cpav/dosav.exe and the Windows version from: ftp://ftp.symantec.com/public/windows/cpav/winav.exe The site is usually hard to get into, good luck! - -Marty ------------------------------ Date: Wed, 10 May 95 20:27:45 -0400 From: Iolo Davidson Subject: Pathogen/Queeg (PC) swidlake@rl.ac.uk "S Widlake" writes: > I believe I'm right in thinking that the "Black Baron" was caught and > was prosecuted under the Computer Misuse Act (was it?). Does anyone > have any further details on what his punishment was and was he really > sorry about writing these viruses ;-( May's "SECURE Computing" reports that the case against Christopher Pile (alleged to be the Black Baraon) at Plymouth was adjourned on April 4th due to the prosecution not having their case ready. Pile was due to reappear before the court on April 18th. - -- POLITICAL PULL FOR RAZOR PULL MAY BE THERE'S NO EXCUSE OF USE Burma-Shave ------------------------------ Date: Wed, 10 May 95 22:48:27 -0400 From: nstn0031@fox.nstn.ns.ca (Eldon Olmstead) Subject: Re: Anyone heard of this virus??? (PC) ICCULUS@frost.oit.umass.edu (Neal S Kaiser) wrote: >When I print through DOS on my HP everything works fine. BUT, when I print >through windows, the true type fonts print little marks all over the paper. >They kindaa resemble bar codes. The regular (not true type, forgot the name) >fonts print fine. Is this a virus?? If anyone has experienced this or can >help me out, please email me directly at "icculus@student.umass.edu" I don't think so, are you using the HP printer driver? Is so, try using the standard PostScript driver that comes with Windows. I have found that sometimes the HP printer driver does not print correctly. Try another PostScript Driver first. // // Eldon Olmstead // // nstn0031@fox.nstn.ns.ca Phone:(902) 475-1656 // olmsteev@tuns.ca // eldon.olmstead@prior.ca Phone:(902) 423-1331 ------------------------------ Date: Wed, 10 May 95 23:39:17 -0400 From: josephk@pacifier.com (Joseph Keto) Subject: Pepper virus (PC) Does anyone have any information on the Pepper virus or a virus named yom.com (128 bytes long and supposedly a modification of the Pepper virus) What do these viruses do? I have looked for information on them in f-prot but none is available. josephk@pacifier.com - -- - --- pacifier.com - Vancouver's Public access Internet (206) 693-0325 telnet or dial the above and type "new" at the prompt to register ------------------------------ Date: Thu, 11 May 95 04:44:14 -0400 From: David Hawthorn Subject: Re: AOL Virus, a New Take? (PC) Last week I logged on to my local server, read some email, returned to DOS, and found my hard disk was seemingly trashed. Approx. every 2nd byte was overwritten. The probable solution is that every 2nd byte was not overwritten at all. The computer was not running for long enough for it to do that, nor was the HD being accessed very much. The opinion of one experienced person was that it was probably the HD controller. Most likely he was right, a couple of days later every 2nd byte was not overwritten! Unfortunately, whilst the controller was having some problems I attempted a fix of the partition table with Norton Disk Doctor. A bad move to try to fix a good disk that has a bad controller! No virus at all (in my case). The reading of email at the time was just a coincidence. - --------------------------------------------------------------------- David Hawthorn Department of Business Systems, Monash University, Australia Phone: +61 3 9905 5802 Fax: +61 3 9905 5159 email: dhawthorn@fcit-m1.fcit.monash.edu.au - --------------------------------------------------------------------- ------------------------------ Date: Thu, 11 May 95 07:49:46 -0400 From: hhakkine@cs.joensuu.fi (H{k{ H{kkinen) Subject: Re: Copying a boot sector to a file (PC) : Well, all is Ok, but i'd very pleased if someone could said me : how can I put the contents of the file drive_a.boo in the boot sector : of other disk using the debug, and, if possible, how can I do it using : assembler or C source. (Please, this is my first post, so excuse me : for my BAD English) : One pretty easy way is this : get a dummy file at least 512 bytes long. For example make a copy of just any file. 'copy oldfile boot'. Then you have this boot in the dir. Now you can start debug with 'debug boot'. That loads the file boot to address 100. You can check it with 'd 100'. ... Boy , inside of debug just give it '?' to get the commands, if you forget them. Now tell it 'l 100 1 0 1' and enter. This means :"load, toAddress 100, FromDisk B, startSector 0, 1 sector ". ( disk a = 0, b = 1, c = 2 ) ( With 'd 100' you can see that the boot sector really came there.) Then say 'w' and nothing else. It means 'write file back to disk'. And there you have it. The first 512 bytes of your dummy file are now overwritten by that boot sector - or what ever sector you want. - ---------------------------- To copy it to some other disk you can say this : start again with 'debug boot'. Then say 'w 100 0 0 1' . It means : "write , from address 100, to disk a, startSector 0, 1 sector ". Now that boot sector has the first 512 bytes of your dummy file. This way you can overwrite even the HD boot sector - so be careful. If I were a beginner, I would save it to a separate file before playing around... - ---------------------------- It's easy to do with c as well, but if you don't write disk handling programs, debug would be a good way to start. And easy once you try it. Hannu. ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 52] *****************************************