VIRUS-L Digest Wednesday, 17 May 1995 Volume 8 : Issue 56 Today's Topics: Re: Turkey virus Re: Boot sector infectors question...(all) Re: Boot sector infectors question...(all) Lundell and the Turkey virus "Virus!" by Lundell Boot sector infectors question...(all) methods of scanning Re: unknown VIRUS (maybe?) (PC) Does this sound like a virus? (PC) REQ for help on Virus Demo (PC) Re: f-prot (PC) Eliminating Die_Hard ? (PC) Re: Monitor problem after lockup (PC) Detecting viruses (PC) Re: Win95 and Anti-virus prorams? (PC) Re: Invircible (PC) Re: Need Anti Virus Advice (PC) Help needed...WELCOMB and FICHV! (PC) Re: AntiExe virus with circular infection (PC) Re: Virus on a Doublespaced Drive (PC) Re: unknown VIRUS (maybe?) (PC) Re: Help me, telephonica virus? (PC) Re: Stoned Virus!!HELP (PC) LANCARD that scans for VIRUSes (PC) Please Help - Ripper Virus (PC) RE: Win95 and Anti-virus prorams? (PC) Re: Req. Info re: Quox virus (PC) Help: Attacked by Ripper (PC) Re: Turbo Virus (PC) Update for Norton? (PC) How to remove virus in IDE HD ? (PC) hidenowt virus (PC) Re: f-prot (PC) Mischief virus, please help. (PC) Re: Warning VShield 2.2.221 doesn't work(PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 16 May 95 12:13:48 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Turkey virus JOHN POLAND (s001jap@discover.wright.edu) writes: > An older book on viruses that I was reading (VIRUS! by Allan Lundell > copyright 1989) mentions a virus called the Turkey virus. Apparently the > virus causes a picture of a turkey to appear on the users screen and then I remember the story about such a virus from the early years, yes. However, no such virus is known - at least not for the PC. I seem to remember a chain letter - variant of CHRISTMA EXEC - from Trukey, but I don't think that it used to draw such pictures... might be wrong, though. > focuses part of the cathode ray beam and burns a hole in the screen. Has This is impossible. > I was unaware that viruses could cause physical > damage to a computer. They cannot. And no, don't come up with stories about disks beeing "rattled" by continiously and alternatively accessing their first and last sectors, or about VGA cards burned by buggy screen drivers for Linux machines. The contemporary hardware cannot be physically damaged by software, period. I won't change my mind until I see a program that proves me wrong - and yes, I am willing to run it on our machines. > Why aren't viruses of this type more prevalent? It It's kinda difficult to make prevalent something that can't exist. :-) I guess, that pretty much explains it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 May 95 15:03:37 -0400 From: moseley@netcom.com (Willy) Subject: Re: Boot sector infectors question...(all) SWM107@smtp.nwscc.sea06.navy.mil says... >I may be oversimplifying things somewhat, however it seems to me that >a boot sector infector would find it very difficult to propagate >rapidly in today's world. Are we still booting from diskette so often >that we can be infected from these beasties? First, remember that even 'data' floppies still have a boot record and can thus transfer viruses. Ever forget and leave a disk in the drive and reboot and get 'non-system disk' message? At that point opened you PC up to a virus. Second, a virus may come in on some great new utility off the net and when run move into the hard disk boot sector, really the master boot record. This is a great place to live since the MBR is executed first and then the virus in the MBR can load and hide itself and wait for other disk activity to propagate. __________________________________________________________________ Bill | moseley@netcom.com | ------------------------------ Date: Tue, 16 May 95 15:32:18 -0400 From: cantrick@rintintin.Colorado.EDU (Ben Cantrick) Subject: Re: Boot sector infectors question...(all) wrote: >I may be oversimplifying things somewhat, however it seems to me that >a boot sector infector would find it very difficult to propagate >rapidly in today's world. Are we still booting from diskette so often >that we can be infected from these beasties? It is my understanding >that a boot sector infector cannot infect your computer unless you >boot from the infected medium. With current technology utilizing >large hard drives and extensive operating systems stored on them, it >would seem that the occasion to boot from the diskette would be a very >rare occurrence. I understand that there are accidents where one >might reboot with a forgotten floppy in the drive, however this would >not occur often enough to create a prolific environment for these >viri. What is the answer? Why are these viri alive and still >propagating in our world today? Have I missed something somewhere? Indeed, their slow spread may be to their advantage. While boot-sector (or MBR) infectors are slow to spread, they also have some edges: - They're not in normal DOS files, so they won't corrupt any data. - Nobody ever checks all their floppies. - When they do get in control, it's (almost) always before any kind of anti-viurs software has been run so they have full power over the machine. - Their slow spreading may actually help avoid detection. What do you think? Are the BR infectors still a viable form of viral life? The Stoned-Empire-Monkey-B variant that's sweeping my school's computer labs says "yes." -Ben - -- void goto_college(){ | Ben Cantrick: cantrick@rtt.colorado.edu while(credits Subject: Lundell and the Turkey virus Lundell's book is a very entertaining read, but he got his info from a very limited number of sources and doesn't seem to have done any fact checking. There are several errors in the book, and I think the "Turkey" virus was one of them. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ------------------------------ Date: Tue, 16 May 95 17:22:00 -0400 From: "Rob Slade, Social Convener to the Net" Subject: "Virus!" by Lundell BKLUNDEL.RVW 930616 Contemporary Books 3250 South Western Avenue Chicago, IL 60608 312-782-9181 Beaverbooks Ltd. 195 Allstate parkway Markham, Ontario L3R 4T8 Virus!: the secret world of computer invaders that breed and destroy, Allen Lundell, 1989 My initial reaction to "Virus!" was that it was another "gee-whiz!" virus book, long on enthusiasm and informality, and short on facts. However, trying to set that feeling aside, I did find a wealth of research had been done. Given the date of the book (most of it seems to have been written in the fall of 1988, with the final drafting done in early 1989) there is a lot of valuable information contained in it. The reaction of the knowledgeable reader will likely depend upon the level of expectation. Those expecting accurate facts and astute analysis will be disappointed by the many errors and the lack of balance. Those expecting little may be pleasantly surprised by the easy readability and smorgasbord of details and gossip. Neophyte readers will find Lundell's writing easy to follow, and will likely come away with quite a reasonable set of background information on computer viral programs. The journalistic and "storybook" style will make spending the two or three hours needed to read it all a very small challenge. This is in sharp contrast to numerous other works reviewed. However, the book does have serious problems, and cannot be recommended as the "final word" by any means. Alongside of the valuable factual information, there is a great deal of error, myth, or misinterpretation. For example, while the coverage of the Internet Worm is generally clear and thorough, Lundell seems to have only the most tenuous grasp of the mechanics of the Worm itself. (This in spite of having obvious access to both the Eichin/Rochlis and Spafford papers.) His distinction between a virus and a worm, in the same chapter, is both lucid and accurate, and yet other parts of the book lump bugs, trojans, pranks and even games together under the viral heading. (Appendix B, a "software bestiary", includes a "Virus Hall of Flame": the only two entries are variations on the mythical "monitor exploding" virus.) A more serious, and insidious, flaw, though, is the credulous nature of the work. Many times we get only one side of a given story. The theory that Bob Morris Senior was a party to RTM's actions is presented almost as an accomplished fact. A conversation on the highway with John McAfee is presented as golden insight. (To be fair, Lundell does eventually admit that McAfee's attempt to be the evaluation standard for antiviral software might pose a conflict of interest.) Transcripts of conversations (one hesitates to call them interviews) with hackers are reprinted with almost no critical analysis. (Although the BRAIN virus, and the Alvi brothers, are covered in depth, it is unclear whether Lundell actually spoke to any virus writers.) The extensive digging Lundell has done is sometimes overshadowed by his almost blind acceptance of what he has been told. The careful reader, even without background knowledge, can pick out some of the flaws. Early in the book the discussion of the MacMag/Peace/Brandow virus points out that the standard injunction against shareware and BBSs is rendered almost meaningless in the face of contaminated "shrink-wrapped" commercial software. Yet that same "buy only commercial" advice is repeated as gospel later in the book. (The interviews and research also seem to have a regional bias. Many of Lundell's contacts seem to have been obtained from VIRUS-L contributors: definitely a good source. However, John McAfee is given a great deal of ink, while Ross Greenberg, at the time much more visible and respected on the Net, is not even mentioned. Might this be because John lives in California, while Ross is on the East Coast?) Despite the numerous flaws, I find it somewhat odd that the book should have been so hard to find, given its readability, information and precedence. While a good dose of skepticism and a more accurate fact base is needed as an adjunct, it still has a place as one of the few books that a "naive" user could read and still get something out of. RMS:gjs 93.06.16 copyright Robert M. Slade, 1993 BKLUNDEL.RVW 930616 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (Oct. '94) Springer-Verlag ------------------------------ Date: Tue, 16 May 95 19:43:12 -0400 From: Iolo Davidson Subject: Boot sector infectors question...(all) SWM107@smtp.nwscc.sea06.navy.mil writes: > I may be oversimplifying things somewhat, however it seems to me > that a boot sector infector would find it very difficult to > propagate rapidly in today's world. Nevertheless, boot sector viruses top the prevalence lists. > Are we still booting from diskette so often > that we can be infected from these beasties? Yes indeed. We mostly do it by accident now, though. All you have to do is leave a "data" disk in the machine when you turn it off. > It is my understanding > that a boot sector infector cannot infect your computer > unless you boot from the infected medium. That should be "attempt to boot". It does not have to be a successful boot-up to infect. > I understand that there are accidents where one > might reboot with a forgotten floppy in the drive, however > this would not occur often enough Occurs plenty often. - -- USE OUR CREAM THEY'LL COME AND WE BETCHA AND GETCHA GIRLS WON'T WAIT Burma-Shave ------------------------------ Date: Tue, 16 May 95 19:44:10 -0400 From: Iolo Davidson Subject: methods of scanning a65si@csiunx.it.csi.cuny.edu "carroll herb" writes: > Im curious if someone could possibly explain the ways a AV > program detects viruses. Lots and lots of different ways, too many to list, even if anyone was willing to make their methods public. - -- USE OUR CREAM THEY'LL COME AND WE BETCHA AND GETCHA GIRLS WON'T WAIT Burma-Shave ------------------------------ Date: Tue, 16 May 95 06:26:54 -0400 From: Will Dioneda Subject: Re: unknown VIRUS (maybe?) (PC) I would recommend trying F-Prot version 2.17 and Thunderbyte antivirus. Both these files are available in the virus directory of any SimTel site, as FP-217.ZIP and TBAV634.ZIP or TBAVW634.ZIP (Windows) respectively. These two are quite good in that they can find files not identified yet by using a method called Heuristics. Thunderbyte can also make your system very secure by detecting ANY changes to executable files, thereby informing you of any changes to executables. Larry... ------------------------------ Date: Tue, 16 May 95 06:55:08 -0400 From: Simon Davies Subject: Does this sound like a virus? (PC) Hi, I have used virtually every product (f-prot[2.17], AVP, TB ....) and they say my machine is all clear. BUT..... 1. Using mem I get 639k base mem (as opposed to 640k) 2. If I do a "dir /ah" my hard-disk volume label changes to AP and I can no longer change it with "label". Trying to use label gives an error message of "Cannot make directory entry". Any ideas? Thanks in advance for any suggestions!! Simon. s2davies@plym.ac.uk ------------------------------ Date: Tue, 16 May 95 08:34:14 -0400 From: ivory@netcom.com (Ivory Dragon) Subject: REQ for help on Virus Demo (PC) I am scheduled to give a lecture/demonstration to several dozen "slightly" PC literate executives, and I would like to find something that visually demonstrates how viruses work. This could be done either by harmlessly recreating the effects of a virus (preferably some of the more entertaining ones), or by a "slide show" of what a virus does in memory. Any thoughts or suggestions would be appreciated. If nothing like this exists, then it would be a great opportunity for someone to become famous by doing it. Thanx, Ivory ------------------------------ Date: Tue, 16 May 95 08:47:01 -0400 From: erosenba@vger.rutgers.edu (Evan Rosenbaum) Subject: Re: f-prot (PC) daveblue@ix.netcom.com (dave ) writes: >Could someone please tell me where I could find f-prot. Is the virus You can get f-prot from any of the SimTel mirrors. I usually get mine from oak.oakland.edu. An archie search should turn up about a half-dozen locations. ------------------------------ Date: Tue, 16 May 95 09:15:32 -0400 From: ultra@ocsny.com (Chris Barker) Subject: Eliminating Die_Hard ? (PC) Im having trouble eliminating Die_Hard from a network. f-prot 217 can see it but cant remove it. Does anyone know how to deal with this one? - -- Chris Barker ultra@ocsny.com Optimized Computer Solutions. Networking and Service Contracts in New York City All opinions are mine, blah blah blah... http://www.ocsny.com/~ultra We host home pages ------------------------------ Date: Tue, 16 May 95 09:47:20 -0400 From: "George (GRIG@BGEARN.BITNET)" Subject: Re: Monitor problem after lockup (PC) Kevin Anderson (KEVINAND@acad.cc.whecn.edu) wrote: (as his message is very long, here just a little of it (form Vol. 8, Issue 30) > ...with CTRL ALT DEL would not work, so they turned the computer > off and waited a second, then turned it back on. The computer > returned to normal, but the monitor remained black even > though it had a power light indicator working. All connections > seemed tight and we used the instructions in the manual to check > for other possible causes. Rebooting again did not work. We... Oh, there is no virus that may cause a hardware problem, while it is not active in the memory! Just as in your case. > ...Technicians at our college, the computer store, and at NEC's > Technical Support each had varying theories about the > problem. One suggested replacing the mother board, another > said it could be the power supply in the computer or the > battery, a third said it could be the power supply in the > monitor, another said it could be power fluctuations in the > building... Yes, although they have 'varying theories', you can see that noone even suppose that the problem may be caused by virus. Have you tried any of these monitors on other computers (outside the building)? Or have you tried these computers with other monitors... ???? F-Prot V2.16 will detect '10 past 3' virus and will remove it (if you boot from a clean diskette). Hope I've helped, George ------------------------------ Date: Tue, 16 May 95 09:56:53 -0400 From: "George (GRIG@BGEARN.BITNET)" Subject: Detecting viruses (PC) As I read a lot of questions like 'Hi, have I a virus if .....' and as I believe a few of these questions will be replied I will tell you how exactly to know if you have a virus. When your PC is free of any viruses or you are 99% sure so, remember the size and the time of creation of an EXE and COM file from your HDD (best if the COM file is COMMAND.COM). So when you suspect you have a virus, compare the previous and the current file sizes and times (datas) of creation. REMEMBER: It is not obligatorily that you do not have a virus if file sizes are unchanged and remember that this way you will not find the STEALTH viruses. If the size is changed, please report and don't forget to add the information about the name, the original and changed file size, the times of creation (if they differ). Hope, I've helped George E-Mail: GRIG@BGEARN.BITNET ------------------------------ Date: Tue, 16 May 95 10:00:54 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: Win95 and Anti-virus prorams? (PC) io92721@maine.maine.edu (Mark White) says: >I am running Windows 95, the Preview version(M8). I would like very much >to get some virus protection back in my PC. I have seen Carmel's AV, but >it doesn't work as I can see. Does anyone have any Anti-virus running >smoothly under WIN95?? If so, would you mind giving me and the other >Win95'ers get this protection? F-Prot shareware works very well with Windows 95. I'm using version 2.17. You will have to remove F-Prot's Virstop TSR temporarily to install or upgrade Win 95 preview. Virstop also works with Win95 although it cannot display any warning when you're in windows. It does beep and you will see some garbage at the top of the screen if it triggers the same as with any version of Windows. Sorry, I haven't tested any other AV product with Win95, mostly due to lack of time. Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Tue, 16 May 95 10:42:55 -0400 From: weissel@moon.ph-cip.uni-koeln.de (Wolfgang Weisselberg) Subject: Re: Invircible (PC) Bill Lambdin (bill.lambdin@woodybbs.com) wrote: :->TBcheck is a good resident integrity checker. In my tests, TBcheck :->reported files infected with a fully stealthed virus in RAM. :-> :->If you have RAM to spare, I would recommend for you to add TBfile, and :->TBmem. :-> :->I am aware of one virus that deletes the ANTI-VIR.DAT integrity data :->files used by TBAV. If you use the 'secure' option with TbCheck you cannot run any program without an 'anti-vir.dat' (You can even rename these files.) This forces you to make new anti-vir.dat-files (or update old ones) for NEW programs. It also alerts you instantly if such a virus killed your anti-vir.dats. - - Wolfgang ------------------------------ Date: Tue, 16 May 95 10:49:51 -0400 From: "Marty L. Horn" Subject: Re: Need Anti Virus Advice (PC) airangel@pipeline.com (Ellen Karp) wrote: >I am new to this newsgroup, and not sure if I am in the right place....I am >looking for information on Anti-Virus programs for my PC. Can anyone >recommend one or place where this post should go ? Are there any shareware >programs on the "net " or should I invest in a "store version". Suggest F-PROT. Can be had at ftp://ftp.datafellows.fi/pub/f-prot/ This will get you a shareware version which has done us very well. However, they offer a retail version which has a Windows front-end which is super. - -Marty ------------------------------ Date: Tue, 16 May 95 11:19:09 -0400 From: Charles Chew Subject: Help needed...WELCOMB and FICHV! (PC) Hello there! Recently, I faced a couple of viruses that couldn't be cleared using the latest McAfee virus scan evaluation program. The scan evaluation program I'm using is Scan V220 with V221 data file. The 2 viruses are WELCOMB and FICHV. Ever heard of these viruses? After detecting the presence of these viruses, the scan program displays the message that there are no removers for them. Therefore they could not be cleared. May I know if there is an up-to-date virus scan evaluation program that is able to "kill" these viruses? Regarding the licensed McAfee virus scan program, will it be able to clear the above-mentioned viruses? Your assistance is very much appreciated. Thank You and Best Regards 8-) ------------------------------ Date: Tue, 16 May 95 12:06:41 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: AntiExe virus with circular infection (PC) Ivory Dragon (ivory@netcom.com) writes: > 1. Anti-EXE is a boot virus (either MBR or DOS bootsector). As such, the > files are not infected. So far, so good. > As long as the disk itself hasn't been trashed, This particular virus does not trash the hard disk. > it should be possible to copy the files off of the infected disk. Be Correct. > careful (I know, "No Shit, Sherlock"), if you do a DIR, you will most > likely infect the PC you are working on. That's not quite precise. If the virus is active in memory (i.e., if you have booted from an infected disk), then *any* disk access will infect the floppy, unless it is write-protected. It doesn't matter whether you do a DIR or a COPY (to copy your files). However, if the virus is *not* active (i.e., if you have booted from a clean floppy), then doing a DIR on an infected disk will *not* infect the PC. > Also, put SYS > and FDISK on the virus-cleaning diskette. Remember to do this either before the infection, or in a clean environment (e.g., on a virus-free machine, or after hafing booted from a clean disk). > If you do infect your DOS boot > sector, SYS it. If you infect the MBR, you can FDISK /MBR to rebuild it. For this particular virus, you need FDISK/MBR for the hard disk and SYS for the floppies. > 2. Haven't worked too much with F-Prot, but TBAV 6.34 does an excellent > job of not only removing ANTI-EXE from HD's and FD's, but also allows you > to backup to boot information to a floppy, in case of future infection. Yes, making a backup of the boot information to a floppy is an excellent thing to do - before your computer gets infected. Also, if your computer's BIOS allows it, configure the CMOS so that the machine boots from the hard disk (C:), instead of from the floppy drive (A:). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 May 95 12:26:18 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus on a Doublespaced Drive (PC) Matthew R. Richardson (mattr@pride.ugcs.caltech.edu) writes: > anybody know whether SCAN will screw things up on a doublespaced drive? DoubleSpace can perfectly screw the things up by itself, without any need for help from SCAN. > AntiExe is a boot-sector virus. More exactly, it is a master boot sector infector. And no, it cannot infect the boot sector of the compressed drive. > I was thinking that perhaps the best way to clean the drive would be > to boot up with a clean floppy that doesn't have the doublespace driver on > it, so that DOS is unable to load doublespace. That way, the hard drive > will appear to be just a normal hard drive (with a 120 meg file that is > the fake compressed drive). Then run SCAN to clean the drive. What do > you think? This will work to remove AntiEXE - or any other boot or master boot sector virus. However, you are running the risk of missing any file viruses that might have infected the files on the compressed volume. > I'm would like to hear from anyone who thinks this is a bad > idea or a good idea, or has had experience cleaning out a virus, > particularly a bootsector virus, off of a doublespaced drive. None of the existing boot sector viruses is able to infect the boot sector of the doublespaced drive (i.e., the compressed volume). Even if one is written that can infect it, it will almost certainly damage the compressed volume, so you'll have other problems. Besides, there is no point in infecting the boot sector of the compressed volume - you never boot from there, so a virus there has no chances to activate. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 May 95 12:38:56 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: unknown VIRUS (maybe?) (PC) Johnny J Chin (jchin@dorsai.dorsai.org) writes: > MS-DOS (MSAV) v6.2 with the new signatures (3/15/95) > Central-Point (CPAV) v2.0 with the new signatures (2/6/95) > McAfee SCAN v2.2.0 (with v2.2.1 signatures) > Norton (NAV) v3.04 with new signatures (5/1/95) > Please, if anyone has another scanner, please let me know where I can Those are rather loosy scanners that you are using, especially the first two. A much better one is ftp://oak.oakland.edu/SimTel/msdos/virus/fp-217.zip or even ftp://ftp.informatik.uni-hamburg.de/pub/virus/progs/avp/ (You'll need all files from that directory.) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 May 95 12:43:33 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help me, telephonica virus? (PC) Gloona@info.swan.ac.uk (Gloona@info.swan.ac.uk) writes: > I need some information concerning the program "Vshield"...While > on the college computers (P.C's non networked) today..These computers > load Vshield from the autoexec.While on these computers I was playing > with Dr.Sol's toolkit (v.6.02 I think) which happened to be on the > hard drive.On scanning the computer it said there was Telephonica Virus > present and to boot up from clean floppy. but "Scan" showed there was > nothing present on the disk. It might be that FindVirus (or Guard) is fooled by some unencrypted scan string left in memory by VShield, but I find this very unlikely. Have you followed the advice to boot from a clean floppy and then run the Toolkit? What did it report in this case? If it still finds a virus, then, I am sorry to disappoint you, but there *is* a virus. > I found the person in charge > of these computers and showed him the information, thinking he might > want to be told. He's now taken all my disks and banned me from all > computers in the Engineering section.He claimed I had infected his > computers with a Virus... >From what you have described so far, I see no evidence that it was indeed you who has introduced the infection. It *is* a possibility, but there is no hard evidence supporting it. > Is this related to Vshield being resident > in memory ? Or is The toolkit never wrong ? I'm sorry, but the Toolkit is wrong much less often than SCAN or VShield. > I know my disks are clean.. Try another good scanner. Get F-PROT - I know for sure that it does detect this virus reliably. Scan your diskettes. If they are reported to be clean, then there is no virus at all. Otherwise, you are using the wrong anti-virus product - SCAN. For instance, it does not detect version .B of this virus (it does detect version .C and version .A - the most widespread one - but does not distinguish between those two versions). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 May 95 12:43:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stoned Virus!!HELP (PC) Nelus Rossouw (nelus@server1.ovsod.co.za) writes: > I have customer with a "Stoned virus" on his PC. The problem is: Please read the FAQ of this newsgroup for information about how to ask such questions. In particular, which scanner and which version of it reported this name and where - hard disk, diskette, memory? > When i boot the machine, it hangs just after the BIOS screen (where it tells > you that it is a 486, stiffie, floppy, etc.) For this readers who are not aquainted with the term "stiffie", this is how they call the 3.5" diskettes in South Africa, because those diskettes are, well, stiff. :-) > can now check for virusses on the stiffie, but it does not see my C: > drive!!!! What goes, What can i do??. How do i get on C:???? Such symptoms are typical for the EXE_Bug virus, which is extremely widespread in your part of the world. Also, the Monkey virus shows the same behaviour. My recommendation is: get F-PROT, boot from a clean diskette, check that you cannot access drive C:, and run F-PROT /HARD /DISINF. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 May 95 12:52:04 -0400 From: "Andrew Tan" Subject: LANCARD that scans for VIRUSes (PC) Hi ... Saw an advert stating a LAN card that can check for viruses. Is it for real? Like to hear you experiences and comments on it. Thanks Andrew Tan "Achievement: Dream what you dare to dream. SHELL SIngapore Go where you want to go. andrew.a.tan@shell.stems.com Be what you want to be." Anonymous ------------------------------ Date: Tue, 16 May 95 13:07:16 -0400 From: young@seanet.com Subject: Please Help - Ripper Virus (PC) Please Help. I have a virus called the ripper virus that has infected the Master Boot Record on my Hard Drive. I have tried reformattting the drive. I have tried repartioning the drive. I have tried using the dos sys command. none of these things will clean up the Master Boot Record. I have tried using F-PROT, and McAfee to clean it up. (It is not detected by MWAV). Is there anything I can do to restore the Master Boot Record? Any help or suggestions would be appreciated. Please follow this message in the news group or send me email. Thanks in adv. young@seanet.com ------------------------------ Date: Tue, 16 May 95 13:45:26 -0400 From: richardb@intecolor.com Subject: RE: Win95 and Anti-virus prorams? (PC) On Mon, 15 May 95, io92721@maine.maine.edu (Mark White) wrote: >Hello all: >I am running Windows 95, the Preview version(M8). I would like very much >to get some virus protection back in my PC. I have seen Carmel's AV, but >it doesn't work as I can see. Does anyone have any Anti-virus running >smoothly under WIN95?? If so, would you mind giving me and the other >Win95'ers get this protection? As I have mentioned often in this forum, F-Prot (shareware version) seems to work virtually flawlessly in a WIN95 environment. It is available from any Simtel site (eg. ftp.oak.oakland.edu). I can recommend this with only ONE reservation - that is - VIRSTOP may choke (depends on your setup). I suppose that WIN95 issues could go into the FAQ. The Preview Edition (PE) was build 347, and I have run F-prot in all versions up to and including build 462 (current as of this post). BTW, my fish is patent pending! o o >` ))))>< Ein seliger Sprung in die Ewigkeit richardb@intecolor.com office-net Richard_Bodor@msn.com home-net RLBodor@aol.com Pariah-net ------------------------------ Date: Tue, 16 May 95 13:48:02 -0400 From: cudba@csv.warwick.ac.uk (Chris. Garnett) Subject: Re: Req. Info re: Quox virus (PC) woodyw@freenet.vancouver.bc.ca (Greg W Wellwood) writes: >Picked up a nasty virus from BCIT CAD lab, toasted my work disk. It's >apparantly called "Quox" and not detected by the most recent scanners. >Anyone have info on this puppy? >Norton was red-flagging all over with this disk. According to Dr Solomons Virus Encyclopedia, Quox is an alias for "Stealth". It affects the boot and partition sectors of floppy and hard disks. It can be removed with Dr Solomons (that is, at least the version I have). Chris. Garnett - -- - -- cudba@csv.warwick.ac.uk work: Technical Workshop, Computing Services University of Warwick +44 1203 52 3270 home: +44 1203 677872 World Wide Web URL: http://www.csv.warwick.ac.uk/~cudba ------------------------------ Date: Tue, 16 May 95 14:42:25 -0400 From: mhill@red.seas.upenn.edu (Malaney J Hill) Subject: Help: Attacked by Ripper (PC) One of our users accidentally booted a PC up on a disk that was infected by the Riper virus. The result was that we could no longer boot from the hard drive. The error was "Dynamic Drive Overlay Integrity Error". Computer is a 486 with 850 Mb hard drive with no stacking. Used McAfee to clean disk and was successful except that I still cannot boot from the hard disk. I boot from a floppy and try to switch to hard disk but get "Invalid Drive Specification". Any suggestions? Is reformatting my hard disk the only way to correct this? Will the fdisk/mbr command do anything for me and will it save my data? By the way, we have DOS 6.22. Thanks in advance, Malaney J. Hill e-mail: mhill@astro.ge.com ------------------------------ Date: Tue, 16 May 95 17:06:28 -0400 From: cjkuo@alumni.caltech.edu (Chengi J. Kuo) Subject: Re: Turbo Virus (PC) Haymee_Perez_Cogle@angonet.gn.apc.org writes: >Do you have any information on virus named "turbo" ? I'll appreciate any >information, with Nav I could not remove it. If your scanner is S&S, then the virus is Sampo. Otherwise, I've not heard this virus name. Jimmy ------------------------------ Date: Tue, 16 May 95 19:03:53 -0400 From: lgchiu@csupomona.edu (PHOOLIO DISGRACIAS) Subject: Update for Norton? (PC) Hi, Does anyone know where i can get an update for the virus list that comes with Norton 8.0? Is there an FTP site? If anyone can help, please respond via email to one of my email addresses below Thanks! - --LAwton - -- ~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`'~=-., -=Lawton Chiu=- lgchiu@csupomona.edu lgchiu@vms4.sci.csupomona.edu http://www.sci.csupomona.edu/~lgchiu/ _,.-=~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`' ~`'^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-==--^'~=-.,__,.-=~'`^`'~=-.,__ ------------------------------ Date: Tue, 16 May 95 19:45:08 -0400 From: Iolo Davidson Subject: How to remove virus in IDE HD ? (PC) kwong@hk.super.net "Mr Hui Fung Kwong" writes: > The advice is that never do a low level format on a IDE hard drive (not > knowing why). How does one remove suspect infected hard drive ? > > I like to know will normal format on a hard drive will be able to > remove all virus in the hard drive. Formatting a disk is not the way to get rid of a virus. It is neither necessary nor necessarily effective. Get a good anti-virus software package. - -- USE OUR CREAM THEY'LL COME AND WE BETCHA AND GETCHA GIRLS WON'T WAIT Burma-Shave ------------------------------ Date: Tue, 16 May 95 19:57:16 -0400 From: Iolo Davidson Subject: hidenowt virus (PC) goose@yarrow.wt.uwa.edu.au "Jose Isler" writes: > does anybody heard of the HIDENOWT virus (PC). Yes indeed. This is the only virus I ever named where the name stuck. It has been around for years and any competent AV program ought to handle it. It is full of traps for the disassembler and a great puzzle if you enjoy that kind of thing. > this virus corrupts mostly the .exe and .bat files. Bat files? > any info would be much apprecited. >From a years old FAX alert: This is a stealth virus which infects both .COM and .EXE files larger than about 2k in size. Files grow by about 1747 to 1757 bytes, but the increase in size is concealed when the virus is in memory. It infects the first uninfected program file (if large enough) in a directory list whenever the DOS 'search for file' functions are used, typically when you do a DIR or run a program. Note that when you run a program, it is not necessarily the program you run that gets infected. It also infects COMMAND.COM by name when it is first run. - -- USE OUR CREAM THEY'LL COME AND WE BETCHA AND GETCHA GIRLS WON'T WAIT Burma-Shave ------------------------------ Date: Tue, 16 May 95 20:13:01 -0400 From: Christie Nader Subject: Re: f-prot (PC) > Could someone please tell me where I could find f-prot. Is the virus > scanner that comes preinstalled with a new computer (Packard Bell) any > good. I am a newbee and would appreciate any advice on what scanners > work the best. Thank you.. (:-) Dave P. http://www.datafellows.fi is their web site. I'm pretty sure you can download the latest version of it from there. Christie ------------------------------ Date: Tue, 16 May 95 21:08:16 -0400 From: etazura@ibm.net (Kyle Barrow) Subject: Mischief virus, please help. (PC) My PC has been infected with Mischief, a desktop virus. The symptons are irratic mouse movements every 10 minutes or so. Does anyone know how to kill it? Thanks :-( ------------------------------ Date: Wed, 17 May 95 00:41:49 -0400 From: mesmer@ix.netcom.com (Harrington/Thomas ) Subject: Re: Warning VShield 2.2.221 doesn't work(PC) I had a similar experience. Installed VSHIELD on one machine, VIRSTOP on another and left a third unprotected. Then I ran a program infected with Posessed. It ran on the unprotected machine (of course) and it ran on the VSHIELD machine. Virstop detected the virus and locked up the computer. - -- Mesmer John Harrington, C.Ht. WWIVNet #1@2732 Tampa, FL ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 56] *****************************************