VIRUS-L Digest Thursday, 25 May 1995 Volume 8 : Issue 58 Today's Topics: Re: Boot sector infectors question...(all) Re: Viruses in binaries? Maybe. Re: Turkey virus Illegal to write viruses? Turkey virus is a "Turkey" Writing a paper on societal effects of viruses UNESCO sponsored computer virus lab in Cuba Help !! Where to find virus PAPERs ?? Re: "Virus!" by Lundell Need resident OS/2 virus watch facility (OS/2) Re: REQ for help on Virus Demo (PC) Re: McAfee's VirusScan doesn't work in Windows? (PC) stealth_c (PC) ThunderByte more dangerous than helpful? (PC) Int10 Virus (PC) Letters falling to bottom of screen virus (PC) Roma virus (PC) Re: F-Prot 2.17/NAVTSR (PC) Wanted Info on Junkie Virus (PC) RE: AntiCMOS? LiXi? (PC) WELCOMB and FICHV viruses. (PC) Boot sector viruses (PC) Microsoft ships virus intentionally? (PC) possible virus infection? (PC) False positive (I think...) Would like assurance (PC) stealth_boot.c (PC) NAV 3.0 - FORM Killing me!!! (PC) Removing Monkey B (PC) Re: Dr. Solomon's Anti-Virus Toolkit (PC) Re: Win95 and Current Antiviruses (PC) NAV not detecting OneHalf! (PC) Unknown virus (PC) Re: URKEL help and description please. (PC) virus on a doublespaced drive (PC) E-Form Virus (PC) Re: Help me, telephonica virus? (PC) need info on anticmos B , thnx (PC) Re: Gneb (PC) Taipan (PC) Help "QUICKLY" Virus PC (PC) Big Caibua Virus (PC) HELP ! Suspicious "Urkel" activity (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 18 May 95 13:26:59 -0400 From: iandoug@aztec.co.za (Ian Douglas) Subject: Re: Boot sector infectors question...(all) SWM107@smtp.nwscc.sea06.navy.mil wrote: >I may be oversimplifying things somewhat, however it seems to me that >a boot sector infector would find it very difficult to propagate >rapidly in today's world. >From systems running OS/2, yes. > Are we still booting from diskette so often >that we can be infected from these beasties? It is my understanding >that a boot sector infector cannot infect your computer unless you >boot from the infected medium. With current technology utilizing >large hard drives and extensive operating systems stored on them, it >would seem that the occasion to boot from the diskette would be a very >rare occurrence. I understand that there are accidents where one >might reboot with a forgotten floppy in the drive, however this would >not occur often enough to create a prolific environment for these >viri. Um, many people run Windows. Windows tends to hang. So they hit alt-ctrl-del, and voila! the virus is transferred to the HD. Or, they forget the diskette in the drive. Tomorrow they boot, and same thing happens. These two ways are the main ways that BSI spread. Sneakernet provides the rest of the path. Cheers, Ian - -------------------------------------------------------------------- P.O. Box 484 If no_goals 35 iandoug@aztec.co.za 7532 Sanlamhof Then 1,73 : 58 South Africa no_achievements iN*T*j PGP key available - -------------------------------------------------------------------- ------------------------------ Date: Thu, 18 May 95 13:28:56 -0400 From: iandoug@aztec.co.za (Ian Douglas) Subject: Re: Viruses in binaries? Maybe. is06@stir.ac.uk (I. Stirling) wrote: >: Impossible. Data is DATA. Viewers interpret it, not execute it. How exactly is >: data that is being read going to 'trick' a viewer into doing something it s >: not? >As below >: >Nobody's seen one yet. >: I believe this when I see it... >: It will only be possible if the viewer was written with that capability in >Please do not assume things on subjects you know little about, it is in >theory possible to write a virus that takes advantage of a bug in a >viewer, causing it to execute the data. This is Very difficult, as >first you have to find the bug. For the record I have a B.Sc in Computer Science, work as a computer professional, and have been studying viruses for several years. It is possible in theory, but the chance of it happening is so small as to be totally discounted. If such a bug existed, then the viewer would habitually try and execute data, causing a system hang, resulting in the user dumping the viewer for something decent. I doubt very much if a viewer will branch to some obscure place, possibly to data, as a result of data which it is just decoding. Certainly not a far jump. I know you will insist that in THEORY it may, but lets be realistic, ok? Cheers, Ian - -------------------------------------------------------------------- P.O. Box 484 If no_goals 35 iandoug@aztec.co.za 7532 Sanlamhof Then 1,73 : 58 South Africa no_achievements iN*T*j PGP key available - -------------------------------------------------------------------- ------------------------------ Date: Thu, 18 May 95 13:30:19 -0400 From: iandoug@aztec.co.za (Ian Douglas) Subject: Re: Turkey virus frisk@complex.is (Fridrik Skulason) wrote: >s001jap@discover.wright.edu (JOHN POLAND) writes: >>An older book on viruses that I was reading (VIRUS! by Allan Lundell >>copyright 1989) mentions a virus called the Turkey virus. Apparently the >>virus causes a picture of a turkey to appear on the users screen and then >>focuses part of the cathode ray beam and burns a hole in the screen. >uh.uh....sounds like either a work of fiction or a good example of technical >incompetency...who is this Allan Lundell guy ? >Anyhow...this thing doesn't exist... This nonsense surfaced in the FidoNet virus echos a year or two ago (during one of the infamous hardware-damaging-virus debates). AFAIR, it is an urban legend. There is no way to 'focus part_of (?!!) the cathode ray beam and burn a hole in the screen' from software. The cathode ray scans the whole screen umpteen times a second, this is built into the hardware, and you are not going to change it from outside. Even IF you could focus it in the centre of the screen, it won't burn a hole. Besides, the user will see something wrong and switch off. Cheers, Ian - -------------------------------------------------------------------- P.O. Box 484 If no_goals 35 iandoug@aztec.co.za 7532 Sanlamhof Then 1,73 : 58 South Africa no_achievements iN*T*j PGP key available - -------------------------------------------------------------------- ------------------------------ Date: Fri, 19 May 95 07:18:04 -0400 From: petteri@pjoy.fi (Petteri Jarvinen) Subject: Illegal to write viruses? Are there any other countries except England where writing viruses is i= llegal?=20 What is the penalty, if virus writer is cought?=20 Petteri - ------------------------------------------------------- petteri@pjoy.fi www.pjoy.fi Petteri J=E4rvinen, Tekniikantie 12, 02150 ESPOO, FINLAND ------------------------------ Date: Fri, 19 May 95 17:09:34 -0400 From: s001jap@discover.wright.edu (JOHN POLAND) Subject: Turkey virus is a "Turkey" I posted a question about the Turkey virus several days ago. In response I received several flaming E-Mail messages. Just to set the record straight: I was not trying create a hoax or start some wild rumor. Lundell and the book Virus! do exist and do mention a virus called the Turkey. I am not as knowledgeable about viruses as many of the people who read and post to this group. It was an innocent and naive question. Thanks for the education :). - -- ********************************************** John P. E-Mail: s001jap@discover.wright.edu ********************************************** ------------------------------ Date: Fri, 19 May 95 17:10:38 -0400 From: ICS Instructional Labs Subject: Writing a paper on societal effects of viruses Hi out there, I am a student at University of California at Irvine, and I am writing a paper on the effects of computer viruses on society. In particular, I am interested in the Michaelangelo virus. If you know of anywhere I can find information on this subject such as where the virus came from, etc. I would be very appreciative. I can be e-mailed at: eaou290@ea.oac.uci.edu Thanks Andy ------------------------------ Date: Fri, 19 May 95 22:00:58 -0400 From: mallen@servidor.dgsca.unam.mx (Mallen Fullerton Guillermo Manuel-UIA) Subject: UNESCO sponsored computer virus lab in Cuba I recently received a brochure from the "Laboratorio Latinoamericano para la Proteccion Contra Virus Informaticos de la UNESCO" (UNESCO Latin-American Laboratory for Protection Against Computer Viruses). This Lab has his offices in Cuba and sells some products. The following is a translation from the brochure: >"EVI CD-ROM "Computer Virus Encyclopedia" This software product developed by > specialists from the Laboratory, has been converted to the CD-ROM technology > with the collaboration from the CENEDIC of the Colima University, Mexico. > >CVS Scanner/Cleanner of viruses detected in Cuba and reported to the Laboratory > by region countries > >CVP Centinel [resident?] virus detector > >CHECK Generic computer viruses detector > >DMOVIRUS This product shows the graphical representation of a set of known > international viruses, isolated by the Laboratory specialists. > >Those products identify and clean Iberoamerican native viruses, among them: > VIRUS COUNTRY > > CPW CHILE > ROGER PERU > VIVA MEXICO! MEXICO > UNSPEED CUBA > KCUF CUBA > TERMINATOR CUBA > BARROTES SPAIN > >It is important to note the efectivity of those [programs] against NATAS or >SATAN virus during 1994 in MEXICO, VENEZUELA and CUBA, where known >international antivirus software, like MCAFEE SCAN failed against that breed." They mention many viruses unknown to me (ROGER, VIVA MEXICO, UNSPEED and KCUF) and I have never seen their programs. A generic virus detector would be nice if it could detect all viruses _before_ they are run, but of course that would be a miracle. Does any one in the net has more information about this UN sponsored Lab? Are their programs good? I will appreciate a benchmark comparing it with F-PROT, AVP, TBAV and other serious programs and previous experience with that Lab. Thanx Guillermo Mallen ------------------------------ Date: Sat, 20 May 95 01:28:07 -0400 From: r2506053@csie.ntu.edu.tw (Jason Lee) Subject: Help !! Where to find virus PAPERs ?? I would like to read the famous virus paper written by Dr. Cohen. Could anyone provide any information to find a FTP site ? Thanx for any help. ( no solution in FAQ. sorry ) Jason Lee ------------------------------ Date: Sat, 20 May 95 19:04:17 -0400 From: "Robert A. Buchanan" Subject: Re: "Virus!" by Lundell I have been told that a text file cannot contain a virus while an exe or com which are executable programs can. I would suppose this also might include zip programs or exe or install programs. Can a virus detection program find a virus on a zipped file????? thanks in advance for any data. Bob ------------------------------ Date: Thu, 18 May 95 19:00:23 -0400 From: norman@flowbee.interaccess.com (Jeffrey S. Norman) Subject: Need resident OS/2 virus watch facility (OS/2) Does anybody make a virus detection program that runs under OS/2 and continually monitors the system for virus-like activity??? Please don't mention CPAV for OS/2 -- that product, believe it or not, only loads a memory resident virus detection program in your dos sessions. Thier tech support is non-existant (literally) and on the bboard system their electronic tech support stated that he did not even intend to test the program with Warp! (my version of vwatch for OS/2 dos sessions does not run under Warp without practically disabling my floppy drives in the dos session). If you don't believe me, check out their Bbs for a laugh (503) 984-5366. You have to log into the "network and os/2" board. That same tech support person also stated that he was unware of a need for a virus detection program for OS/2 since no virii exist for the OS yet. Hmmm. Not a very comforting thought. I have to wait until someone discovers an OS2 virus b/f anyone will make a virus detection program????!!! Anyway, suggestions about the existance of such a program would be greatly appreciated. ------------------------------ Date: Thu, 18 May 95 12:40:11 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: REQ for help on Virus Demo (PC) ivory@netcom.com (Ivory Dragon) writes: >I am scheduled to give a lecture/demonstration to several dozen >"slightly" PC literate executives, and I would like to find something >that visually demonstrates how viruses work. Sorry, but what you plan to do will give a totally inaccurate impression of what viruses look like, and what they do. Why not just tell them the truth ? Most viruses do nothing but replicate, and (because of flaws) sometimes make certain programs not work any more. A few will trash your disk, or corrupt your data. >This could be done either by >harmlessly recreating the effects of a virus (preferably some of the more >entertaining ones) So far I have not seen a single "entertaining" virus. - -frisk ------------------------------ Date: Thu, 18 May 95 13:04:05 -0400 From: templeton Subject: Re: McAfee's VirusScan doesn't work in Windows? (PC) Actually, I have no problem any of the latest DOS versions from a DOS Shell, minimized or not. I am running WFW (Windows 3.11) which might make the difference. You might consider trying WFW. Also, you can download the windows version from the McFee FTP. Good Luck, - -Rico - ----------------------------------------------------------------- The Brothers Froggit: Hong Kong, Anchorage, San Francisco, Boston. "If you can want it, we can get." ------------------------------ Date: Thu, 18 May 95 14:14:46 -0400 From: marhal@berlin.snafu.de (Herman the German) Subject: stealth_c (PC) would on a dos 4.1/novwell netw. 2.11 server a stealth_c virus on the dos-partition (C:) after a disk boot with dos 6.x a FDISK /MBR to get rid of the virus affect the novell nondos partition, which is the 2. partition on C: ? See stealth-c/dropper#4 question in alt.virus. i need an advice soon. i do not want to risk to loose the novell (non-dos) partition, which means reinstalling netware (too time consuming). anyone knows? thanks htg ------------------------------ Date: Thu, 18 May 95 14:17:58 -0400 From: I92ZELGE@isbe.ch Subject: ThunderByte more dangerous than helpful? (PC) Hi guys I work for a very big pharma company in Switzerland and our department uses the TBAV (ThunderByte) virus-scanner to check our computers. But since last Thursday I am not sure, whether this program causes more problems than it could help protect computers from viruses. I had some corrupted files on my disk and I fixed it with SCANDISK. After this procedure everything went right on my PC. I booted the PC, started Windows and loaded several applications without any problems after SCANDISK. But the next morning (TBAV scans only once a day if you want so) TBAV was detecting some differences (TBAV was not sure, if it is a virus). My collegue pressed ENTER to fix the problem. Since then you were no longer able to start any applications in Windows. Everything seemed to be totaly destroyed. I had to reinstall WINDOWS and all the applications runnung under it. The only programs that were not destroyed were NON-WINDOWS-Applications. This experience let me remove TBAV from my disk. Please answer me, if you had any similar experience. Write to: torsten.zelger@roche.com or to: i92zelge@iben00.isbe.ch Thanks a lot ! Torsten ------------------------------ Date: Thu, 18 May 95 14:36:13 -0400 From: casey123@freenet.edmonton.ab.ca () Subject: Int10 Virus (PC) Int10 virus I just had F-prot tell me that it found the Int10 virus infecting my MBR. But I can not get F-prot to disinfect or delete it. F-prot also did not have any information on the Int10 virus. Can any one tell me about this Init10 virus and how to get rid of it. Thanks in Advance Casey Warrilow - -- qy--------------------------------------------------------------------------- Casey Warrilow email: casey123@freenet.edmonton.ab.ca Edmonton, AB, T5T 2T1 compuserve: 75203,2477 - --------------------------------------------------------------------------- ------------------------------ Date: Thu, 18 May 95 20:40:52 -0400 From: srozhon@ix.netcom.com (Sandra Rozhon) Subject: Letters falling to bottom of screen virus (PC) Can someone tell me what virus causes words to disassemble and the letters to randomly fall to the bottom of the screen? Thanks ------------------------------ Date: Thu, 18 May 95 21:06:21 -0400 From: achoo@welchlink.welch.jhu.edu (ALBERT CHU ) Subject: Roma virus (PC) Hello there! A professor of mine recently came back from Italy, and brought back on his laptop a virus ... detectable but uncleanable by both F-Prot and a recent version of McAfee's Scan. It's called Roma (according to F-Prot 2.17) and it is a boot sector virus. Anyone out there know what we can do to get rid of this virus? Any help would be MUCH appreciated. Thank you very much. Sincerely, Al - -- Albert Chu achoo@welchlink.welch.jhu.edu ------------------------------ Date: Fri, 19 May 95 01:09:52 -0400 From: PAKG45A@prodigy.com (Bill Dougan) Subject: Re: F-Prot 2.17/NAVTSR (PC) There should be no need to run two anti-virus TSR's on your system. I would suggest using virstop.exe vs. NAV, as f-prot is a superior anti- virus scanning program compared to NAV. Bill Dougan: pakg45a@prodigy.com Sitka, AK or: tswrd@acad1.alaska.edu "Letting the days go by and the water hold me down" ------------------------------ Date: Fri, 19 May 95 01:24:54 -0400 From: kanen@melbpc.org.au (Janice Kanen) Subject: Wanted Info on Junkie Virus (PC) I am looking for any information on the Junkie Virus, particularly what it does and any clean programs available. I have a short article from CIAC and have looked at vsum with no luck. sincerely ,-._|\ Janice Kanen Limit to about 76 cols-> / Oz \ Mail Address, Phone, Fax. Member, Melbourne PC User Group. \_,--.x/ Edit/replace text but don't exceed 4 lines as per netiquette. v ++++ Fancy borders count as a line ~~~~~~~~~~-----++++++++++ ------------------------------ Date: Fri, 19 May 95 03:09:20 -0400 From: hendk@explorer.sasknet.sk.ca (keith hendren) Subject: RE: AntiCMOS? LiXi? (PC) In comp.virus shafto@aristotle.ils.nwu.edu (Eric Shafto) said: >I am evaluating two anti-virus packages, Dr. Solomon's AVTK and F-Prot. I had >a recent virus incident where the two differed, and I'm confused. > >F-Prot said I had AntiCMOS, that it didn't have specific cleaning instructions, >and offered to replace to boot sector. I tried this on one diskette, which was >corrupted by the procedure. > >I pulled out my (as yet unopened) copy of Dr. Solomon's, and it said I had >LiXi, which was not known to be in the field. It also offered no alternative >but to replace the boot sector, which it did without incident. > >>From the descriptions of the two viruses, and from the fact that Solomon's >on-line virus encyclopedia (although not the printed one) list both, I do not >believe this is simply a case of two different names for the same virus. > >My questions therefore: Which did I have? Could I have had both? Was the >diskette corruption a fluke? Am I the first on my block to get LiXi? How do I had a similar experience. The latest version of SCAN said I had anticmos-A virus, and rewrote the boot sectors of my infected floppies. I think I used fdisk /mbr to get the hard drive mbr cleaned up. FProt also called it Anticmos, but TBScan v6.34 called it LIXI. I seem to recall having something report it as AntiCMOS-LIXI, but don't remember what. The only information I came across defining the actions of this virus implied that the only harmful effects of the virus would be to delete the CMOS data (which didn't happen here). I did however notice that the time stamps on some of my DOS files were incremented by 5-7 hours (eg. 6.22am became 1.22pm). Though I did replace the files which I noticed were affected, I am left concerned that I may not have yet reversed all the effects of the virus(es?). ------------------------------ Date: Fri, 19 May 95 05:57:29 -0400 From: tcchew@merlion.singnet.com.sg Subject: WELCOMB and FICHV viruses. (PC) Anyone heard of these 2 viruses? I have tried to use Scan 220 with 221 data file to clean but to no valid. Pls kindly recommend on the types of virus scan programs to use. Is the Sophos Anti-virus program good? ------------------------------ Date: Fri, 19 May 95 06:19:36 -0400 From: tcchew@merlion.singnet.com.sg (Charles Chew T.C.) Subject: Boot sector viruses (PC) Hii there, I heard that all boot-sector viruses can be cleared by typing "fdisk /mbr" at the dos prompt. Is it true? ------------------------------ Date: Fri, 19 May 95 07:58:11 -0400 From: Kevin Marks Subject: Microsoft ships virus intentionally? (PC) This showed up in comp.risks. Anyone got any more information? Date: Wed, 17 May 95 13:44:40 EDT From: cnorloff@tecnet1.jcte.jcs.mil Subject: Microsoft plans corporate espionage Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. It interrogates every system on a network gathering intelligence on what software is being run on which machine. It then creates a complete listing of both Microsoft's and competitors' products by machine, which it reports to Microsoft when customers sign up for Microsoft's Network Services, due for launch later this year. "In Short" column, page 88, _Information Week_ magazine, May 22, 1995 The implications of this action, and the attitude of Microsoft to plan such action, beggars the imagination. Chris Norloff cnorloff@tecnet1.jcte.jcs.mil ------------------------------ Date: Fri, 19 May 95 09:50:19 -0400 From: "roger (r.f.) shum" Subject: possible virus infection? (PC) Hi, everyone, A friend of mine has a Comparq note book 386. It has happened to him for a few times that for some reasons, all the files (config.sys, autoexec.bat ...) in the root directory were deleted. He noticed this when he powered the notebook up. He is sure that it is not done by any "human". Apart from this, he didn't know why this is happened. I used scan v2.0 to scan all the files in the notebook but nothing was turned up. This happened again a couple of days ago. The notebook can no longer boot from the harddisk. It can only boot from A: but after boot up, C: is still accessible. He had to reformat the harddisk and re-install every software. The notebook is fine now. Somehow, I have a feeling that this will happen again. He normally uses AutoCad with this notebook. Does anyone know if this is the symptom of an virus? Any clue? Regard, Roger Shum ------------------------------ Date: Fri, 19 May 95 10:51:44 -0400 From: goetz@dip.eecs.umich.edu (Peter Goetz) Subject: False positive (I think...) Would like assurance (PC) I think I have received a false report and some weird effects from McAfee V2.1.210 (7/14/94), but I would like some reassurance from someone knowledgeable. I just installed Windows 3.0 and MS-DOS 6.0 (old, but the price was right for a 286) on my computer (they were still shrink-wrapped), and I afterwards thought I was stupid for not scanning the disks beforehand. I had an old copy of McAfee Viruscan around, so I stuck it in and it halted on the memory check without scanning the disk. It said there were traces of TYPO BOOT found in memory. I booted off of the installation disk, and then it scanned with no complaints. I got curious and rebooted off the harddrive. V2.1.210 this time said it found traces of Diamond-RS. I did scan /boot twice in a row and got two different virus names. I then got F-Prot 2.17 and the 4/13/95 McAfee version. Neither of them complained at all even when I used them to scan ALL files, in neither the Secure Scan nor in Heuristics modes of F-Prot (I scanned with F-Prot before I had the new McAfee version). I tried V.2.1.210 again, and it gave me a _different_ virus name. I trusted the newer version more, so I tried various scans and got V2.1.210 to say it had found traces of the following viruses in memory (all in different scans): BAD BOY LEECH MUMMY DIAMOND-RS TYPO BOOT TERM2 NOV THEN I tried the _NEW_ McAfee scanner, and it the system halted: ON BOARD PARITY ERROR ADDR(HEX) = (4000:580E) SYSTEM HALTED After several trials, I got similar messages, all with different addresses (4000:5222, 4000:5F58). Then I figured the old McAfee scan was messing up the new McAfee scan, so I tried this sequence with the following results: 1. F-Prot - "possibly a variant of November_17th" found in CLEAN.DAT of the new McAfee version 2. New McAfee - no problems noted 3. Old McAfee - traces of TYPO BOOT 4. F-Prot - same as the first trial 5. New McAfee - no problems noted and no "ON BOARD PARITY ERROR" (did F-Prot clean out the memory?) 6. Old McAfee - traces of TERM 2 7. New McAfee - ON BOARD PARITY ERROR ... SYSTEM HALTED I figure that there is no real virus. I guess that the old McAfee is finding some ghost, and then leaving some bad stuff in the memory that the new McAfee is choking on. It appears as if F-Prot isn't affected by the ghost left by the old McAfee, and even cleans out the memory for the new McAfee. I also tried MSAV (which came with DOS 6.0), and it never complained about anything, nor did it clean out the memory. Here is the sequence I tested and the results: 1. MSAV - no problems noted 2. Old McAfee - traces of NOV 3. MSAV - no problems noted 4. New McAfee - ON BOARD PARITY ERROR ... SYSTEM HALTED I would like to just forget about what the V2.1.210 said and go merrily on my way, assuming that the new McAfee, F-Prot, and MSAV are all right, and that I shouldn't worry about the PARITY ERROR that occurs when the old McAfee is followed by the new McAfee. But it does make me a little nervous. And my wife is REALLY sick of me spending all of my time playing around on the computer with this nervous look on my face. In the words of the Marathon Man's tormentor, "Is it safe?" Thanks, * Peter Goetz goetz@eecs.umich.edu * * Solid State Electronics Lab 2435 EECS * * The University Of Michigan (313)763-6132 * ------------------------------ Date: Fri, 19 May 95 12:50:03 -0400 From: desiree@queens.lib.ny.us (Desiree Simmons) Subject: stealth_boot.c (PC) Does anyone no of a way to get rid of this virus? I ran f-prot which told me I havea "circular infection" and f-prot would not attempt to remove the virus. TIA ======================================================================= Desiree Simmons Microcomputer Specialist Queen Borough Public Library Desiree@queens.lib.ny.us voice 718-990-0841 ------------------------------ Date: Fri, 19 May 95 13:51:50 -0400 From: steve@vp-14.eushc.org (Owen Gee) Subject: NAV 3.0 - FORM Killing me!!! (PC) My system has the FORM virus resident in memory. Norton Anti-Virus 3.0 scans and finds the virus every time I boot the system and it will not stop. I've tried to by pass Norton and cannot for some reason. Norton halts the system before I can get to the c:> prompt and do anything. Cannot boot from drive a: either. What must I do??? Steve in Atlanta ------------------------------ Date: Fri, 19 May 95 14:15:26 -0400 From: "Scott Dick (CS)" Subject: Removing Monkey B (PC) I have used two different programs to remove this virus. Firstly, McAfee 2.20 (datfile 220) easily cleans infected floppies. I have also succeeded in cleaning an infected hard drive with the same program. From what I have read in the Virus-L digests, however, McAfee is unreliable for cleaning hard drives. The second program is Killmonk.exe v3.0. This is a virus-specific detector and cleaner, which only works for Monkey and Int_10. This program has no trouble cleaning hard drives and floppies, and all the posts I have seen strongly recommend it. Both programs are shareware, and available from the Simtel archive. The site I use is oak.oakland.edu, in the Simtel/pc/msdos/virus directory. They are stored as zipfiles, so you'll need unzip.exe or pkunzip.exe (look in Simtel's compress directory for those). You should get scn-***.zip for McAfee and kllmnk30.zip (?) for killmonk. Good Luck! Scott Dick USF Computer Science dick@suntan.ec.usf.edu ------------------------------ Date: Fri, 19 May 95 14:37:59 -0400 From: shafto@aristotle.ils.nwu.edu (Eric Shafto) Subject: Re: Dr. Solomon's Anti-Virus Toolkit (PC) Simon Basterield (simonb@melbpc.org.au) wrote: : The company that I work for is considering a site-license for Dr. Solomon's : Anti-Virus Toolkit. : I would be interested in hearing from people who have used, or are using this : product and what your impressions of it are (whether you have good or bad : things to say). I've just started to evaluate it (two virus incidents so far). It seems to work very well, and the only review I read claimed it had superb recognition even on polymorphic viruses. But I think it has a truly awful user interface, and it sure isn't winning any speed records. To make the interface issue worse, it looks as though they have grafted a Windows front-end onto an MS-DOS product, and not done a very good job. ------------------------------ Date: Fri, 19 May 95 14:38:57 -0400 From: shafto@aristotle.ils.nwu.edu (Eric Shafto) Subject: Re: Win95 and Current Antiviruses (PC) Jeffrey Rice (jrice@pomona.edu) wrote: : I'm using Win95 Preview, and was wondering what effects this : would have on my current antiviral programs. I use Virstop, which : seems to be pretty much uneffected, but I was more concerned about : TBAV since it keeps a closer watch on my HD. What problems might : occur, and how can I prevent them? Are there any antiviruses that are : specifically designed for Win95? Info World ran an article claiming that people would have to replace their 16-bit anti-virus packages. ------------------------------ Date: Fri, 19 May 95 15:47:15 -0400 From: norman@flowbee.interaccess.com (Jeffrey S. Norman) Subject: NAV not detecting OneHalf! (PC) A large number of computers in our office have been infected with a virus. Symptoms: bad sectors on HD, scrambled or inaccessible files, unable to boot. CPAV reported the presence of the OneHalf virus. Our personnel (unaware of the special encryption utilized by OneHalf) attempted to remove the virus using CPAV on these computers without rebooting to a clean floppy first. CPAV appears to have repaired the problem by deleting all infected files, but some users are still reporting strange behaviour (? could be psychosomatic :-) Also, on one computer the CPAV "fix" resulted in a number of "bad sectors" in which I am concerned the virus may still reside. After learning of the problem, I instructed the computer people to stop using CPAV, and start using NAV 3.0 (with the signature update dated 5/1/95), booted from a clean floppy. NAV fails to detect the OneHalf virus!!!! When scanned with CPAV, a number of files are flagged as having the virus. NAV, however, fails to find these infected files or indeed to detect any infection at all. Worse, virus is certainly active since during an attempt to install NAV on a suspect computer, the install program crashed with a "cannot write to drive A:" error (the install diskettes are write protected). Anybody have any ideas? I have two: 1. A new strain of the OneHalf. 2. The attempted removal/innoculation with CPAV somehow made the virus "invisible" to NAV. Other ideas or similar experiences would be welcomed. Please email me since I don't frequent this group. - --------------------------------------------------------------------------- Jeffery S. Norman, Esq. | Direct dial: (312) 755-2502 Foley & Lardner | Fax: (312) 755-1925 One IBM Plaza, Suite 3300 | 330 North Wabash Ave. | email: norman@interaccess.com Chicago, Illinois 60611 | - --------------------------------------------------------------------------- ------------------------------ Date: Fri, 19 May 95 16:52:36 -0400 From: jbehan@ic.sunysb.edu (Jason Behan) Subject: Unknown virus (PC) Hi all. I am posting on behalf of a friend who doesnt have access to the net. My friend attends Hunter College (New York City) and thinks the systems there are contaminated. He already picked up Urkel from their network, but returned that computer for other reasons. He now has a new computer and has a problem that he suspects is due to a virus. The symptoms involve the a: drive. He can read/write to a floppy which already has data on it, but when he tries to format a blank disk, the format truncates and the disk becomes unreadable. He suspected hardware at first, but this was a symptom he had with his previous computer too, and he thinks that its too much of a coincidence that both systems, which use disks originating from the same network, have the same problems. C: drive works fine however. If anyone has an idea of what is the causitive agent here (I dont even know if it is a virus to begin with), please let me know, either by followup or e-mail. Thanks! Jason ------------------------------ Date: Sat, 20 May 95 01:29:09 -0400 From: "mary y. tsang" Subject: Re: URKEL help and description please. (PC) i have tried to remove this particular virus with the following mehtods. 1. try Norton Disk Doctor. i find it useful most of the time. ndd can detect the corrupted partition table in the mbr and attempts to fix it. if ndd prompts you to search for a dos partition that was once existed, select "yes" to continue the search. in most of the times, ndd can recover the lost partition table and file allocation table info. it works most of the time. 2. you can boot from a clean floppy with the boot files and fdisk.exe in it. then run fdisk and check the partion table info. you will see some of the listed partitions are not supposed to be there (they look corrupted and they usually appear as non-dos patitions right after your original partition [partition #1]. this is a sign of the urkel virus resides in your hard drive.) what you can do now is carefully delete each of the corrupted partition from the list (from the bottom up.) you use fdisk to delete the non-dos partitions (use option #3 from the main menu and select delete non-dos partition from the submenu) one by one. this will leave only one partition (that is, the original primary dos partition.) now, you may exit fdisk and bootup from the clean floppy again. with some luck, you should be able to read the c drive. i only did this on the machines which have only one hard drive and one single partition. i don't know if it works if the machine has multiple hard drives and partitions. 3. as your last resort, try f-prot and mcafee (the latest version.) if #3 works, i would not have to go through all the trouble. :) if you find this helpful, please pass it along to other folks. i know a lot of you are pulling your hair now. :) good luck! mary academic computing services, hunter college, n.y.c. ------------------------------ Date: Sat, 20 May 95 02:52:19 -0400 From: mattr@dogbert.ugcs.caltech.edu (Matthew R. Richardson) Subject: virus on a doublespaced drive (PC) Just wanted to say thanks for all the input. We ended up cleaning it with F-prot, leaving drivespace loaded. It took care of it with no problems. - -- - -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ I guess I kinda lost control, because in the middle of the play I ran up and lit the evil puppet villain on fire. No, I didn't. Just kidding. I just said ------------------------------ Date: Sat, 20 May 95 06:49:52 -0400 From: deejay@innotts.co.uk (Dean Jackson) Subject: E-Form Virus (PC) A computer at work has been found to contain the E-Form virus and I'm concerned that my computer at home may now be contaminated. Does anyone know the effect of it? I'm awaiting some s/ware to test for it. Is it safe to 'clean' it away or will it then have other effects? Please EMail if you ca help. MANY THANKS. ------------------------------ Date: Sat, 20 May 95 11:43:21 -0400 From: adamjk@cogs.susx.ac.uk (Adam J Kightley) Subject: Re: Help me, telephonica virus? (PC) Gloona@info.swan.ac.uk believes: > hard drive.On scanning the computer it said there was Telephonica Virus > present and to boot up from clean floppy. but "Scan" showed there was > nothing present on the disk. I found the person in charge > of these computers and showed him the information, thinking he might > want to be told. He's now taken all my disks and banned me from all > computers in the Engineering section. He claimed I had infected his > computers with a Virus...but he has failed to check them with a more *sigh* With people like this in charge, viruses have an easy time. Now every user in the Engineering section will know that if one finds a virus, one must under no circumstances tell anyone in authority about it, because telling authority will result in disk confiscation and usage bars. Nobody will report viruses, or even tell other users if they detect one, because that results in a lot of trouble. The virus spreads and is only detected when it reaches a manager's machine. In my job, whenever a user comes to me with an infection, I ensure they are treated especially well. I disinfect, check their data, explain how the virus might have got to them and, if they have their own PC, I give them a copy of the latest F-Prot with clear installation instructions. Hopefully they will spread the word around that reporting a virus is no big deal and others will not be scared to scan. There seems to be no reason for Gloona to be held responsible for the presence of a virus on this machine, but even if s/he was, that is no reason for punishment, unless malicious or reckless behaviour was responsible. Dr.Cohen's book has a nice section on this. I suggest Gloona shows it to the superior of this idiot and suggests that the idiot be requested to urgently learn some basics of security policy. AJK -- adamjk@cogs.susx.ac.uk - LGF, 78 Lansdowne Pl Hove, E.Sussex BN3 1FH Voice: +44/1273/329489 (01273) 329489 - A.J.Kightley@sussex.ac.uk Psychology Undergraduate - School of Cognitive and Computing Sciences University Of Sussex UK - Working for Computing Service:(01273)678090 ------------------------------ Date: Sat, 20 May 95 13:25:39 -0400 From: CUTC29B@prodigy.com (Kerry Browning) Subject: need info on anticmos B , thnx (PC) Several computers in our office are showing up with anticmos b virus. The latest mcaffee cleans okay but from looking at some of the disks we are finding it on, it has been around a while. I know it is a boot sector virus, but does it have any damaging side effects we should look for? Can someone tell me where to find this solomon's encylclopedia of viri. Any help appreciated. kerry ------------------------------ Date: Sat, 20 May 95 16:01:39 -0400 From: foxsm@terminus.com (Scott Fox) Subject: Re: Gneb (PC) bontchev@fbihh.informatik.uni-hamburg.de says... >Bijan Razavi (aa831@freenet.carleton.ca) writes: > >> Last week my home computer got infected by a virus called Gneb which >> attacks boot sector, how none of my AV did mentioned it in their V list. >> This problem is still coming back very often. >> Does anybody knows how to get rid of it? Which AV will do the job? We found the same problem with Central Point Anti-Virus...had a boot sector infected with the NYB virus, but CPAV said it was GNEB with no explanation. Norton AV and F-PROT both identified it as NYB. Needless to say, we're using F-PROT now instead of CPAV. ********************************************************************* Scott M. Fox Vandenberg AFB, CA foxsm@terminus.com 805.734.2163 Sufficiently advanced technology is indistinguishable from magic - -arthur c. clarke ********************************************************************* ------------------------------ Date: Sat, 20 May 95 16:55:42 -0400 From: BLambdin@aol.com Subject: Taipan (PC) In a message dated 95-05-10 08:21:19 EDT, Israel Kay writes >Tai-Pan also known as Whisper was discovered in Sweden around the >middle >of 1994. It is a virus that goes memory resident and only infects >.EXE >files. File sizes grow by 438 bytes. It will only infect .EXE files >that are larger than 64k. One small note,. there is a larger variant of Taipan that is 666 bytes long ------------------------------ Date: Sat, 20 May 95 20:49:03 -0400 From: SueA Subject: Help "QUICKLY" Virus PC (PC) Hi, My brother has had problems with the "Quickly" virus, does anyone know the signature for this virus, as his system keeps getting reinfected, as he can't find which file originally infects the system. As the name suggests it damages files very quickly, writing to boot sector, changing atributes in command.com and damaging it, he hasn't been able to recover any files that it has attacked, damages fat too, seems to be a nasty piece of work. Has Thunderbyte virus checker got a home site, where I can get a virus-free uptodate copy ?? TIA. Sue. - -- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * sue@sjabs.demon.co.uk * *=================================================================* * Its nice to be important, but its more important to be nice ! * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ------------------------------ Date: Sat, 20 May 95 23:43:16 -0400 From: djk@PrimeNet.Com (Daniel J. Karnes) Subject: Big Caibua Virus (PC) I've seen a couple of folks mention that they did not know what "Caibua" meant.... Well, a Vietnamese guy I know says that "Big Caibua" means big "hammer" and that the word is gutter slang for a male sex organ.... I guess that fits considering the nature of the graphic that the virus displays during activation sequences. Anyone have a copy of that virus that they would mind forwarding to me? This is something I've just got to see for myself. - -djk - -- - ------------------------------------------------------------------ - - Daniel J. Karnes - WA6NDT | djk@TASP.NET / djk@PrimeNet.Com --- - - http://www.primenet.com/~djk - -------------------------------- - ------------------------------------------------------------------ ------------------------------ Date: Sun, 21 May 95 01:02:45 -0400 From: pv9955%albnyvms.BITNET@uacsc2.albany.edu Subject: HELP ! Suspicious "Urkel" activity (PC) This morning (May 21) I turned on my computer and logged into my comm program. I saw something which I never saw before... The name "Urkel" would randomly pop up on various locations on my screen, and particularly in message boxes. Suspecting a virus, I ran a recent version of McAfee VirusScan, and it found nothing. Then I tried MSAV in DOS 6.22 and it found nothing ! THe killer was that the dreaded "Urkel" was in the dialog box for MSAV while it was scanning for viruses !! :-( Has someone been tampering with my computer? Or is this a new virus which neither scan program could pick up ? Please help me. Reply via EMail. Thank you, Peter Volpe PV9955@cnsvax.albany.edu ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 58] *****************************************