VIRUS-L Digest Tuesday, 30 May 1995 Volume 8 : Issue 60 Today's Topics: Need info about anarquic organizations Virus Compatibility Re: Illegal to write viruses? Illegal to write viruses? Anybody knows GOSUB.PAR?? HELP!!! (PC) Unbootable new hard drives (PC) Viruses Stuck in Memory (PC) Latest Greatest Virus detection software? (PC) Am I safe? (PC) Where is Mcafee WWW (PC) TimeWarp, any antivirus??? (PC) Help with "form" (?) virus (PC) Monkey-A info. sought (PC) Crosslinked files (PC) Re: Is Natas stealth? (PC) Handling mbr infectors and 32 bit access (PC) TBAV635 & Big Caibua (PC) Anti-virus programs running under Windows95 (PC) Re: 386spart.par (PC) Still no USEFUL response about Flame virus. (PC) Re: Re. Dr. Solomon's Anti-Virus Toolkit (PC) win 9x and their bush league tactics (PC) Win95 - just for viruses (PC) Any information on SVC3103 Virus? (PC) Please help - possible virus!!! (PC) re: AntiCMOS? LiXi? (PC) MS Viral Agent! (PC) Re: Scanners getting slower (benchmarks) (PC) MONKEY-A Information Sought (PC) RE:Am I safe now??? Re: Ripper clean-up (PC) Re: Microsoft ships virus intentionally? (PC) Where do I find. WWW for Mcafee. (PC) Re: Cleaning of ANTIEXE virus (PC) Greencat Virus (PC) IBM Anti-Virus or McAfee? (PC) InVircible - Availability in Australia? (PC) Need help on removing Stoned virus(PC) Letters falling to bottom of screen virus (PC) Am I safe now??? Re: Ripper clean-up (PC) Novell vs DOS virus (PC) EMD Armor Plus comments (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 24 May 95 05:59:01 -0400 From: dms@students.fct.unl.pt (Daniel Martins Santos - Aluno Eng. Informatica) Subject: Need info about anarquic organizations Hi, everyone. I am also a Virus researcher (with no conmercial purpose), I am recently doing a final work about computer Viruses, here at the University. And I am with a lack of information on the Virus Underground world. I would appreciate, some help from the "experts". Like names, origin and purposes of such anarquic organization. (NuKE, Phalcon/SKISM, Armageedon, etc...) Thanks in advance.... Regards, Daniel Santos (Dgms) ------------------------------ Date: Thu, 25 May 95 06:16:56 -0400 From: az092@torfree.net (Vic Boss Paredes Jr.) Subject: Virus Compatibility Can an IBM virus for instance infect a UNIX or an Apple Machine? Or can a UNIX virus infect the other systems. The same question goes for the Mac... Vic Paredes Jr. az092@torfree.net ------------------------------ Date: Thu, 25 May 95 15:06:37 -0400 From: gmann@haven.ios.com (Glen Mann) Subject: Re: Illegal to write viruses? Petteri Jarvinen (petteri@pjoy.fi) wrote: : Are there any other countries except England where writing viruses is i= : llegal?=20 : What is the penalty, if virus writer is cought?=20 I think that the programming theory, etc, may be interesting, etc. BUT, the "penalty" may depend on whos computer you infect. (Big guy = big fists.) ------------------------------ Date: Thu, 25 May 95 18:48:00 -0400 From: Iolo Davidson Subject: Illegal to write viruses? petteri@pjoy.fi "Petteri Jarvinen" writes: > Are there any other countries except England where writing viruses is i= > llegal?=20 Writing viruses is not illegal in England (more properly, in Britain). Distributing them to the unwary is. - -- LATHER WAS USED A 100 YEARS BY DANIEL BOONE TOO SOON HE LIVED Burma-Shave ------------------------------ Date: Tue, 23 May 95 09:47:38 -0400 From: CELTA Subject: Anybody knows GOSUB.PAR?? HELP!!! (PC) Somebody can help me with this virus?? GOSUB.PAR I don't know anything about it, and I can't clean it ... Th4nX.. _/_/_/ _/_/ _/_/ _/_/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/ _/_/ _/_/_/_/ _/_/ _/_/ _/ _/_/ _/_/ _/_/ _/_/ _/_/_/_/ _/_/ _/_/ _/_/_/_/ _/_/ _/_/ _/_/ _/_/ _/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/_/_/_/_/_/ _/_/_/_/_/_/ ------------------------------ Date: Tue, 23 May 95 10:20:58 -0400 From: interpol@xnet.com (Steve Crittenden) Subject: Unbootable new hard drives (PC) Our shop has purchased 15 new hard drives and we have not been able to make a single one bootable. After trying different CPUs, cables and versions of DOS my last idea is that a virus has corrupted fdisk and/or format so that the drives we use them on are unbootable. If we use 6.22 either the partition will not hold, it will change to a non dos partition or it will turn into some 4 part gibberish partition depending on whether or not we use a Fujitsu (worst case) or a Seagate. DOS 6.0 seems to work fine except for the unbootable part. We do not get any error messages, the system freezes just before it should say Starting MS-DOS. A friend was able to take 6 of the drives to his office and they work fine. The only virus we have found is the
virus. Any ideas will be greatly appreciated. Thanks, interpol@xnet.com ------------------------------ Date: Tue, 23 May 95 13:00:47 -0400 From: "Trainee No. 2" Subject: Viruses Stuck in Memory (PC) I would appriciate info on how to get a virus that is stuck in ram out. ------------------------------ Date: Tue, 23 May 95 18:32:44 -0400 From: paulm@winternet.com (Paul Montgomery) Subject: Latest Greatest Virus detection software? (PC) Can anyone tell me what the latest and best virus detection software is and where I can get it. Thanks, Paul ------------------------------ Date: Wed, 24 May 95 08:59:02 -0400 From: mhill@red.seas.upenn.edu (Malaney J Hill) Subject: Am I safe? (PC) First and foremost, thanks to all of the people who responded to my earlier post regarding the Ripper virus. I have just recently cleaned the Ripper virus from two computers at our site. One was cleaned using McAfee and the other was simply, but painstakingly, reformatted. How do I know that the virus has been completely removed and that I now have a "sterile environment" which the McAfee software alludes too? Are there any tests I can run or are there any tell-tale signs that I should look out for. Thanks in advance, MJHill e-mail: mhill@eniac.seas.upenn.edu ------------------------------ Date: Wed, 24 May 95 09:29:43 -0400 From: martin-b@mhousing.synapse.net Subject: Where is Mcafee WWW (PC) HI could any one please e-mail me here, with the WWW site address for Mcafee please. Thanks, Brian. ------------------------------ Date: Wed, 24 May 95 10:04:10 -0400 From: corrego@med.puc.cl (Carlos Orrego) Subject: TimeWarp, any antivirus??? (PC) Hi from Chile, South America, where the sun always shine. This lovely virus is down here, does anybody know of any cure for this virus??? and, where can i get it??? Million thanks. ------------------------------ Date: Wed, 24 May 95 16:16:24 -0400 From: billh@revco.com (Bill Hamlin) Subject: Help with "form" (?) virus (PC) A while back I was having problems and I ran the Norton Anti-Virus and the MSDOS vsafe thing, and they detected that I had the "form" virus. So I cleaned things up... or so I thought. I saw on a description of the form virus that the attack mode was to randomly corrupt ".exe" files. Well, it seems that such has been occuring on my systems over the meantime (about six months). What it does is attach something (about 1100 or so bytes) to the file, rendering it useless. DOS hangs when I try to run it. It's happened enough times and on more than one system so that now I'm thinking that bloody thing is in there and is no longer detectable by NAV or VSAFE. Yuck I say. Does this sound familiar to anyone? Can anyone help me? Please respond by email (billh@revco.com). ------------------------------ Date: Wed, 24 May 95 18:22:53 -0400 From: ROACHL@CC.IMS.DISA.MIL Subject: Monkey-A info. sought (PC) Hi, My PC was recently infected with the Monkey-A virus. I had trouble finding documentation on this virus. I know it is a boot sector virus, and it knows how to disguise itself. I have not been able to find any damage that this virus inflicts. If anyone has any info., please let me know. Thanks, Laurie ------------------------------ Date: Wed, 24 May 95 18:53:47 -0400 From: mwilhelm@astro.ocis.temple.edu (Mark Wilhelm) Subject: Crosslinked files (PC) In my work environment, I've recently noticed the frequency with which the machines I maintain have problems with crosslinked files. The problem sometimes gets so bad that Norton Utilities can't unscramble the files. I've run F-Prot 2.17, but no virus shows up. Is this problem necessarily indicative of a virus? If not, can somebody tell me what causes this problem? Thanks. ------------------------------ Date: Thu, 25 May 95 02:45:46 -0400 From: fec@aa.net (Fred Carpenter) Subject: Re: Is Natas stealth? (PC) A.Appleyard (A.APPLEYARD@fs2.mt.umist.ac.uk) wrote: : I have just had a battle with Natas. Sometimes it was in the boot sector in : the double form: NATAS and NATAS+exr (or similar), which SCAN can't remove. : When I booted from C:, VET found nothing. When I booted from a floppy, VET : found viruses as usual. Why is this? : Please when will SCAN be able to remove the abovementioned double type of : boot-NATAS? I have now found it several times here. Probably never. SCAN is actually somewhat a joke. You should be using F-PROT, AVP or TBAV. If I remember correctly, NATAS specifically messes with the McAfee SCAN program. I believe it was even someone from McAfee that spread it all over in Mexico. - -- Fred Carpenter | Definition of Golf: You take a piece of paper, -------------- | you wad it up, you throw it against the wall. Repeat. fec@aa.net | -- J. F. Parnell ------------------------------ Date: Thu, 25 May 95 04:25:34 -0400 From: netz@actcom.co.il (Zvi Netiv) Subject: Handling mbr infectors and 32 bit access (PC) On Sat, 13 May 95 bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote to stukenbr@Info.UCLA.EDU: > Subject: Re: HELP! Need tbav625.zip (Dos) !!! (PC) >> I caught a Stoned.Empire.Monkey virus and it screwed up my partition >> table, I can't access the harddisk anymore. >> BTW: I know that there is a way to remove bootviruses with fdisk /mbr, >> I tried that already and actually that's the way I really made my disk >> unaccessable - > Well, now you have learned on your own experience that the FDISK/MBR > method does *NOT* universally work for all viruses of this type and > that improper usage of it can make your hard disk inaccessible. > That is why, before running FDISK/MBR, _*ALWAYS*_ try to access the > hard disk first (e.g., "DIR C:"). If you cannot access it (e.g., > "Invalid drive"), _*DON'T*_ run FDISK/MBR, or you'll need a data > recovery expert. Generally correct, but not always. There are now quite a lot of 32 bit fast access IDE controller on the market. Monkey's stealth, as well as other stealth boot and mbr viruses, does not work with these controllers. As odd as this may seem, these are bad news. The same happens while shelling to DOS, from a Windows, or OS/2 session, with 32 bit access ON. In all these cases, the mbr is overwritten by FDISK/MBR, _even when the virus is active_. Active virus stealth usually prevents from such possibility. It's ironic that in Monkey's case, the virus "protects" you from such mistake. The following scenarios would all have led to loss of access to the hard drive, while the "DIR C:" command would show that you had access, as Mr. Bontchev suggests: You use a 32 bit access controller and you booted from an infected floppy, or, you use a 32 bit controller and you ran fdisk/mbr from the DOS command line while booted from an infected hd, or, you have a common IDE controller and you attempt fdisk/mbr shelling to DOS from a 32 bit environment. Unfortunately the situation is getting more complex with the introduction of the 32 bit operating systems, and from my experience with supporting users on Compuserve and else, the occurrence of such incidents is increasing rapidly. Therefore, the advise given here by Mr. Bontchev may not be good. > Fortunately, there is an easy solution for your particular problem. > Get the program > ftp://mcafee.com/pub/antivirus/killmnk3.zip > It should be able to fix the problem, provided that you have not done > any further mess-ups after the one described above. I wouldn't bother to get a program that handles just a single virus, especially since it wouldn't solve your problem. Suppose you "further messed up", which is very likely that you did, then what? Don't you deserve the best possible help? I haven't written the introduction, above, just to leave you in suspense, there is a solution, even if you completely messed up things (except for reformatting the hd). The introduction has to do with Mr. Bontchev's advice, that leans at times more on grudges and dislikes, than on rational judgement. That's why you won't see the following on his recommendations list. What may help you is ResQdisk, available from one of the sites below. It constitutes a complete toolkit for disaster recovery, especially from boot and mbr viruses of all kinds, not only from Monkey. ResQdisk lets you assess the exact nature of the damage, assess your options, reconstruct a damaged or missing boot/mbr sector and even restore the correct parameters of your hard drive's setup in the CMOS, in case they were wiped out and you have no idea of what they were. ResQdisk is a generic solution to boot-mbr infections, and is safer, especially for critical machines such as NT servers, large capacity IDE drives etc., since it lets you actually SEE what you are doing, and make your OWN informed decisions. Now to work! Start ResQdisk after booting from a clean DOS floppy. Get familiarized with the edit functions (^E), analyze sector (^A) and the special reconstruct functions (press "/" to see them). Analyze the mbr (^A) and see if it contains sensible data (the first partition should usually start at sector 1,0,1). I suppose that you will see garbage, since you fdisk'ed it. Go to sector 0,0,3 with the Down key, you should see gibberish, as it is your original mbr, but encrypted. Decrypt it by ^E and selecting "Decrypt". You should now see readable messages such as "Invalid partition table". This is good and normal. Now analyze (^A) the content of the decrypted sector, if it makes sense then drop it into sector 0,0,1 (press Home, ^E and then "Write"). Now reboot and all is well. There is a possibility that sector 3 contains BAD partition data. This could happen if you first fdisk'ed an infected mbr, then attempted booting from a floppy that was infected with Monkey. Sector 3 then contains the original decrypted partition data, but it's useless since Monkey reads it as if it was encrypted, while booting. In such case, just press ^F1 (force a new mbr, calculated from the boot sector and from the setup data) and follow the instructions. Most chances are that the hard drive will boot now, clean. Get yourself a copy of InVircible, install it, make its rescue diskette as in the instructions and enjoy safe computing. And last, Monkey is contracted from an infected floppy. Process all your floppies with FIXBOOT, it's in the InVircible package. It will remove ALL boot infectors, not only Monkey, without changing the floppies content. Regards, Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il netz@InVircible.com CompuServe 'GO InVircible' Author's: ftp.datasrv.co.il/pub/usr/netz/ Anonymous ftp: InVircible.com - ------------------------------------------------------------------------- ------------------------------ Date: Thu, 25 May 95 06:38:46 +0000 From: Oba@alamo.net (Oscar Ayala) Subject: TBAV635 & Big Caibua (PC) Dear all, Does anyone know whether the recently released TBAV 6.35 is able to detect the new "Big Caibua" virus? The virus info of the shareware version does not list Big Caibua or Caibua, but does list a "Bua" virus. Is this "Bua" the same virus detected in a dos screen saver which is a com file infector? Thank you! Oscar Ayala oba@alamo.net . "I can help!" ... J. Kevorkian, M.D. ___ Blue Wave/QWK v2.12 ------------------------------ Date: Thu, 25 May 95 06:24:35 -0400 From: Fredrik Bostr\vm Subject: Anti-virus programs running under Windows95 (PC) Hi everybody. I've just read something in a computermagazine here in Sweden. I qoute:= =20 "Windows 95 can not handle anti-virusprograms written for Windows 3.1. = This is stated by Microsoft. The cause is said to be that DOS filesyste= m has been changed in Windows 95, this result of this is that the anti-= virusprogram is looking for the wrong kind of call.(Anti-virusprograms = looks for any calls made to irq21.)" Question: Is this true are all my antivirus-programs rendered useless b= ecause of the fact that I'm utilizing Windows 95? Are there no anti-vir= usprograms that works under Windows 95?=20 If there is anyone out there that has any clue or info. on this matter = I would appreciate an answer. Thanks in advance. ------------------------------ Date: Thu, 25 May 95 07:27:10 -0400 From: "Joao Carlos R. Carreira Bento" Subject: Re: 386spart.par (PC) You can cool down my friend (at least about the 386spart.par file). That's not a virus at all. The big file you mentionated is created by the windows program. It is used as virtual memory, and you should NEVER delete that file using the dos commands or windows file manager. You can "control" the 386spart.par file size using windows itself. "Open" the windows control panel and run the 386 enhanced section, then choose the virtual memory option and you wil see the actual size of that file (among other things) and you have the oportunity to change it. You can even choose the type of the 386spart.par file. You have three options: 1) Temporary - The file is created whenever you enter windows and deleted whenever you exit windows. This will slow down a bit, the time that windows take to run. 2) Permanent - The file is permanent (eh! eh! eh!) and will "stay" in your hard disk even when you exit windows. This is the best option for windows performance. 3) None - Obvious. This is the worst option for windows performance. It is only recommendable if you have an "Huge" amount of memory. About the problems you are having with your computer i can't help you, but as you can see it has nothing to do whit the 386spart.par file. ************************************************************************** * Joao Carlos Rino Carreira Bento * * Instituto Superior Tecnico * * Universidade Tecnica de Lisboa / Technical University of Lisbon * ************************************************************************** * jbento@lemac18.lemac.ist.utl.pt * * l34537@alfa.ist.utl.pt * ************************************************************************** ========================================================================== The indonesians are killing innocent people in East Timor ========================================================================== ------------------------------ Date: Thu, 25 May 95 07:41:17 -0400 From: richardb@intecolor.com Subject: Still no USEFUL response about Flame virus. (PC) I had asked earlier for information on the FLAME virus. I used F-Prot V2.17 to find it, but not remove it. I have been inundated with 1) anecdotes concerning virii attacks, 2) multi-page generic "HOW TO" documents 3) suggestions that I live with the problem 4) other less polite responses. I realize that I'm opening it all up again - but I really was hoping that someone with real information could tell me about this virus and a method for removal (I do not consider formatting one of these methods). I thank everyone for their help, but please answer only if you have valid info. Thanks for your assistance. BTW this is a WIN95 (current build, not the old PE) environment. P.S. When I left three addresses, I expected that people would chose one. I've learned from that mistake. Richard Bodor Intecolor Corporation richardb@intecolor.com Ein seliger Sprung in die Ewigkeit o o >` ))))>< ------------------------------ Date: Thu, 25 May 95 07:57:39 -0400 From: Peter Scherrer Subject: Re: Re. Dr. Solomon's Anti-Virus Toolkit (PC) > superb recognition even on polymorphic viruses. Yes, that's true. > But I think it has a truly awful user interface, and it sure isn't > winning any speed records. In these two aspects I don't agree at all. I use Dr. Solomon Toolkit for years and it is the fastest scanner I know of. What did you compare against? > To make the interface issue worse, it looks as though they have > grafted a Windows front-end onto an MS-DOS product, and not done a > very good job. That's not true. What product did you look at? The DOS and the windows versions have one of the best user interface. I wonder if you ever saw the product running. I am not conected to Dr. Solomon in any way, I am just a satisfied customer. - ---------------------------------------------------------------------- Internet e-mail : scherrer@isburg.ch | Peter Scherrer phone : ++41 34 214220 | Ingenieurschule Burgdorf fax : ++41 34 231513 | Pestalozzistrasse 20 | 3400 Burgdorf, Switzerland - ---- X400: C=CH; A=arCom; P=SWITCH; O=ISBurg; OU=rz; S=Scherrer ------ ------------------------------ Date: Thu, 25 May 95 08:17:53 -0400 From: "The Radio Gnome" Subject: win 9x and their bush league tactics (PC) Hi, The following appeared in the NOVELL LISTSERV... >Date: Tue, 23 May 1995 08:20:42 EDT >Reply-To: Novell LAN Interest Group >Sender: Novell LAN Interest Group >From: "Mark S. Van Leeuwen" >Subject: win 9x and their bush league tactics >To: Multiple recipients of list NOVELL > I have heard from other sources that the beta versions and possibly >the final release of Windows 95 has a small viral routinew that runs in the >background gathering all directory and program information on your >workstations/ network / home machine. Then when you connect to the M$ Network >a backround process transfers that info to microrosft. These sources have >done sniffer traces to confirm that this occurs. Also M$ itself agnologes >this blatent invasion of privacy and calls it the Registration Wizard. This >not only searches for M$ apps but everything. who is to say that if they see >somthing they want that they don't run a backround file transfer without you >knowing it and sell it as if they came up with it. > >---------------------------------------------------------------------- >Mark S. Van Leeuwen Voice: (617)373-8919 >Microcomputer Technician Fax: (617)373-5056 >Northeastern University School of Law E-Mail: markvl@slaw.neu.edu >400 Huntington Ave. >Boston, MA 02115-5098 >----------------------------------------------------------------------- - ---------- END OF INCLUDED TEXT --------- Another headache for antivirus developers? Now they might have to cope with the OS itself behaving in a 'viral' manner? Andrew Wing - CNE Lead Applications Analyst Temple University Computer Services "A fool and his net access soon go their separate ways" ------------------------------ Date: Thu, 25 May 95 08:55:53 -0400 From: "grig@bgearn.acad.bg" Subject: Win95 - just for viruses (PC) Mark White (e-mail: io92721@maine.maine.edu) wrote: (Volume 8, Issue 55) >it doesn't work as I can see. Does anyone have any Anti-virus running >smoothly under WIN95?? If so, would you mind giving me and the other >Win95'ers get this protection? Oh, I don't mind giving such programs (AVs) to you or anyone else, but I'm afraid that according to "PC&MAC World Bulgaria" magazine (May 1995), all 16bit anti-virus programs will not work under Win95! Why exactly, I could not understand and that's why I enclose what they have written: Article title is "Windows 95 - just for viruses" (the title is not transferred exactly, but in Bulgarian it sounds like "Win95 - lakom zalak za virusite") Here it is: PC&MAC World> The 16bit anti-virus software will not work under Win95. PC&MAC World> The anti-virus programs created for Windows 3.1, won't work PC&MAC World> under Win95 confirmed Microsoft Corp. The reason is that PC&MAC World> all existing anti-virus programs check mainly the file PC&MAC World> system of DOS, system called "Interrupt 21" through which PC&MAC World> all the new files pass. It is not quite clear to me (and I suppose to many others), what they mean under "through which all the new files pass". Will anyone try to explain it? PC&MAC World> As Win95 changes the file system of DOS, the AVs will check PC&MAC World> interrupt 21 in vain and so will detect no viruses. It is PC&MAC World> as if you tell your AVs to check all programs passing through PC&MAC World> the door, while in meantime the viruses enter through PC&MAC World> the window....... Please send all notes & comments to me and I will contact "PC&MAC World BG" editors. Thanks in advance. Regerds, George Bitnet e-mail: grig@bgearn.bitnet Internet e-mail: grig@bgearn.acad.bg ------------------------------ Date: Thu, 25 May 95 09:27:34 -0400 From: James Corbett Subject: Any information on SVC3103 Virus? (PC) Two days ago, the PC of one of my co-workers lost a bit of data off of her hard drive. Using McAfee's scanner and F-Prot, I discovered the SVC.3103.A virus had infected an executable file. I would like to find out more about the virus as it is possible that we will probably have to face it again. No matter how many times you warn people, they think they do not need to worry about viruses that strike others. Thanks! ------------------------------ Date: Thu, 25 May 95 09:44:37 -0400 From: Jason Wareham Subject: Please help - possible virus!!! (PC) I have this 92 page document that must be able to print. I have a PC Msdos and all that. But when I go to print the file is empty, but it says it like 84 bites. When I ran it through my prog. Virucide, it said it had a D3 Boot virus. It identified but would not clean. Then I ran it through an older version of PCtools and it wouldn't even identify it. I need to know how to beat this thing! I thought if I got the new McAfee antivirus it might have it. So, could someone tell me where I could get that, or another option. - --Jason p.s. When I run Scandisk it says it has physical bad sectors. p.p.s. Please E-mail me don't just post. Address is jrwareha@puc.edu ------------------------------ Date: Thu, 25 May 95 09:46:04 -0400 From: "David M. Chess" Subject: re: AntiCMOS? LiXi? (PC) There are two strains of AntiCMOS that seem to be about in the world. They are both master-boot-record infectors that don't save the original master boot record anywhere, they just duplicate the function of the most common standard MBR code within themselves. The only way to remove them is to replace the MBR code with the right code; this is what FDISK /MBR does, but it's somewhat dangerous (always boot clean from floppy and make sure your disks are all visible before using int). IBMAV will do it automatically for you when you ask it to repair an AntiCMOS-infected MBR. If you had some non-standard MBR (a security program, or the MBR that lets you have Boot Manager on the second hard drive, or whatever), you'll have to re-create the MBR however your created it in the first place. The two strains differ in their damage routines. The more common strain ("AntiCMOS.A" is I think the CARO name) contains a routine that will alter some values in CMOS; depending on your machine model, it can change the number and type of hard disks or diskettes in the system, or otherwise mess things up. Opinions are divided as to whether it ever actually calls this routine! The other strain ("AntiCMOS B" or "AntiCMOS Lixi" or whatever) has a payload that instead hangs the machine with a "siren" sound playing on the speaker; this strain contains the message "I am Li Xibin" (whence "Lixi"). (The message is never printed or otherwise used.) Hope that's slightly helpful! - - -- - / We have a little garden, David M. Chess / A garden of our own, High Integrity Computing Lab / And every day we water there IBM Watson Research / The seeds that we have sown. ------------------------------ Date: Thu, 25 May 95 10:32:14 -0400 From: (SGT THOMAS E DAVIS) Subject: MS Viral Agent! (PC) Reference: Article in "Information Week" 5/22/95 p. 88 "STOPPING "SOFTLIFTERS" Microsoft is testing an anti-software-priating effort in England called LegalWare. The product consists of disks and a workbook to help companies understand the implications of software piracy and audit their own systems. Another tactic is included in beta versions of Windows 95 -- a small viral routine called Registration Wizard. The software gathers information on every system hooked up to a network, and monitors what software is being run on which machine. It then compiles a list of Microsoft programs and competitor's products by machine, which is reported to the company when customers sign up for Microsoft Network. Customers will have to disable the program if they object to the intelligence-gathering. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Security? We don't need no stinkin' security!!! ********************************* * Sgt Thomas E Davis * * Network Administrator * * System Security Manager * ********************************* * My opinions are my own and * * DO NOT necessarily reflect * * those of the U.S. Marines. * ********************************* ------------------------------ Date: Thu, 25 May 95 10:50:33 -0400 From: peng-chiew low Subject: Re: Scanners getting slower (benchmarks) (PC) frisk@complex.is (Fridrik Skulason) wrote: > for many scanners that probably would be Commander Bomber, as detecting it > might require the scanner to scan the whole file. For other scanners...well, > it depends on the technology they use.... Scanners are no longer the way to go. Personally I would go for preventive TSRs or device drivers. ------------------------------ Date: Thu, 25 May 95 10:58:30 -0400 From: roachl@cc.ims.disa.mil Subject: MONKEY-A Information Sought (PC) Does anyone know anything about the MONKEY-A virus? My PC was recently infected with it, and I can't tell that any damage has been done. I know it is a boot sector virus, and that it knows how to disguise itself. What harm does it inlict? I would appreciate any help on this one Thanks, Laurie RoachL@cc.ims.disa.mil ------------------------------ Date: Thu, 25 May 95 11:19:58 -0400 From: mhill@blue.seas.upenn.edu (Malaney J Hill) Subject: RE:Am I safe now??? Re: Ripper clean-up (PC) Malaney J. Hill writes: >It turns out that we had two of our computers infected: one >had only the Ripper virus and was rendered un-bootable. (this >one has an 850 Mb drive which was configured by Disk Manager >which probably sheds light as to why it was rendered un-bootable), Yes, it does. A boot sector virus can do this by overwriting the Disk Manager code in the boot sector, directly, or by doing so when it relocates the boot sector information higher in track 0 where the driver code also resides. There are utilities to backup track 0 so that you can restore the entire track in a situation like this. The ResQdisk program from the InVircible package can do this easily. Make sure your antivirus software is able to, as well, or replace it with one that can. An advantage to using ResQdisk is that you can visually examine the contents of the partition, boot sector, and track 0 prior to and after repairing them. It is freeware to individuals for non-commercial use. >MY QUESTION: >I have used McAfee to eliminate the viruses from both systems, or >so I think. The 850 Mb system was cleaned and then had to be >reformatted, The format was not necessary. There are disaster recovery procedures you could have used to recover the drive in minutes. They are described in the online hypertext of InVircible. Or, you can obtain a paper describing them, by Zvi Netiv ( author of InVircible ), on CompuServe ( Go INVIRCIBLE ) or at my anonymous ftp site: PYRO.SLIP.AIS.NET/CRYPTO/INVIRCIBLE/IDE.TXT >I'm still leery, I'm sure that my smaller system has corrupt data >somewhere, is there a thorough check that I can do to make sure that >my system is intact? If you mean the hard drive, then MS-DOS's, CP's. or Norton's disk repair utilties should tell you the condition of the drives. If you mean, is there a virus still active on your system, then install InVircible on it which will alert you to the presence of virus activity reliably. If you have several machines without LBA capacity and have 540 MB+ drives installed in then it would be very wise to learn about these procedures. Your experience is becoming increasingly common since boot sector infections comprise 70% or more of PC virus infections by most estimates. :-( Regards, Robert C. Casas, Ph.D. CPC Ltd. Sysop - InVircible Forum on the NCSA, CompuServe. - -- ________________________________________________________________________ Robert C. Casas, Ph.D. On CompuServe: GO INVIRCIBLE CPC Ltd. Computer Security Consultants V:708-729-3565 F:708-729-3575 casas@netcom.com <> 75162,241@compuserve.com <> rc.casas@ix.netcom.com INVIRCIBLE BY FTP AT: pyro.slip.ais.net/crypto/invircible/ ________________________________________________________________________ ------------------------------ Date: Thu, 25 May 95 11:51:26 -0400 From: "Ken Kriesel, Physical Sciences Lab, UW-Madison" Subject: Re: Microsoft ships virus intentionally? (PC) Kevin Marks wrote: > The implications of this action, and the attitude of Microsoft to plan > such action, beggars the imagination. I think most of Microsoft is smarter than that. Forward any real proof to the Justice dept. Ken ------------------------------ Date: Thu, 25 May 95 13:15:50 -0400 From: martinb@mhousing.synapse.net (Brian Martin) Subject: Where do I find. WWW for Mcafee. (PC) Hi All, If this is a duplicate ignoree. I am still learning how to use my new provider. Could some one e-mail me the address or post it here. TIA Brian. ------------------------------ Date: Thu, 25 May 95 15:00:18 -0400 From: gmann@haven.ios.com (Glen Mann) Subject: Re: Cleaning of ANTIEXE virus (PC) George (GRIG@BGEARN.BITNET) (GRIG%BGEARN.BITNET@CUNYVM.CUNY.EDU) wrote: : bpb@stimpy.us.itd.umich.edu (Bruce Burrell) wrote: (from Vol. 8, Issue 55) : > Charles Shuman (cshuman@ix.netcom.com) wrote: : >> We have a disk that is infected with the antiexe virus. The only virus : >> removal program that will remove this is F-Prot Ver 16+ we are using : >> ver 17 and still no luck. (information from vsum latest version) (etcetera..., now for some complicated stuff...) : > 1) On an uninfected machine, make a copy of the infected diskette : > after first write-protecting it. Use the command DISKCOPY A: A: : > (or, if the disk goes in the B: drive, DISKCOPY B: B:) : > 2) Put an formatted, uninfected diskette of the same size and density : > as the damaged diskette in the A: drive (or B: drive) : > 3) At the C:\> prompt, type DEBUG You'll be at a very terse "-" prompt. : > 4) Type L 100 0 0 1 (or, if the B: drive is used, L 100 1 0 1). This (ouch.) I found the ANTIEXE virus on a set of install floppies, and used McAfee to /clean it off. The software, however, uses "generic procedure #2" I think, the result being a floppy with no FAT or something (get General Failure Reading errors). Norton's Disk Doctor had no problem at all rebuilding the FAT (if this is what got thrown out...) and I have had no problems with the disks since. This is easy and painless. Glen gmann@haven.ios.com ------------------------------ Date: Thu, 25 May 95 15:00:15 -0400 From: Gloria Contratto Subject: Greencat Virus (PC) This is my first time posting to a list so excuse me if I unknowingly make a mistake. Has anyone heard of the Greencat virus? We just got hit with it. So fas we lost the command.com on one machine and are having problems with the machine that originally discovered it with. We have replaced the command.com file on the one machine and it seems to be OK. Are there after-shocks to worry about. Any information would be helpful. Thanks in advance. gcontr@windy.state.wy.us ------------------------------ Date: Thu, 25 May 95 16:07:17 -0400 From: xmasbrad@aol.com (XmasBrad) Subject: IBM Anti-Virus or McAfee? (PC) I am in the midst of deciding which anti-virus product to purchase for a 600 user professional corporation. We are currently using F-Prot 2.17 (shareware), but need to use another TSR and Windows antii-virus product. I've ruled out F-Prot Professional due to price and the fact that I already have FRISK's virus signatures in the shareware product. (I intend to keep using F-Prot in addition to the new windows product). I have heard many good things about McAfee and like their windows product. But I have heard nothing about IBM Anti-VIrus. Does anyone have any experience with IBM Anti-Virus? Any and all input is welcome. TIA Bradley_Christmas@SPPT.COM ------------------------------ Date: Thu, 25 May 95 17:01:06 -0400 From: phooper@pcug.org.au (Paul Hooper) Subject: InVircible - Availability in Australia? (PC) Are there any suppliers of InVircible in Australia? Paul Hooper ------------------------------ Date: Thu, 25 May 95 18:18:21 -0400 From: Fritz Muehlhausen Subject: Need help on removing Stoned virus(PC) Hello, all. This is my first time on this newsgroup, because it is the first time I have ever had a virus. I got the shareware version of f-prot, and it said it detected the stoned virus resident in memory. I have varified this by noticing a 1K decrees in conventional memory, hard drives(2, IDE) inaccessible from floppy boot, and 32-bit disk access for windows 3.1 not loading. What is the most recommended solution? I do not have a copy of my MBR that I have made. Any suggestions will be greatly appreciated! Thanks alot!! ------------------------------ Date: Thu, 25 May 95 18:37:51 -0400 From: Iolo Davidson Subject: Letters falling to bottom of screen virus (PC) srozhon@ix.netcom.com "Sandra Rozhon" writes: > Can someone tell me what virus causes words to disassemble and > the letters to randomly fall to the bottom of the screen? The *original* virus to do this was called Cascade. There are many viruses that imitate the effect, though, which illustrates the fact that you cannot identify viruses by their effects or payloads. - -- LATHER WAS USED A 100 YEARS BY DANIEL BOONE TOO SOON HE LIVED Burma-Shave ------------------------------ Date: Thu, 25 May 95 18:46:55 -0400 From: Iolo Davidson Subject: Am I safe now??? Re: Ripper clean-up (PC) mhill@blue.seas.upenn.edu "Malaney J Hill" writes: > I'm still leery, I'm sure that my smaller system has corrupt > data somewhere, is there a thorough check that I can do > to make sure that my system is intact? The way ripper works, you probably do have minor corruption sprinkled about, and you will never be able to be sure that you have found it all. That doesn't mean you are still in danger from Ripper, only that the damage it does is hard to counter. - -- LATHER WAS USED A 100 YEARS BY DANIEL BOONE TOO SOON HE LIVED Burma-Shave ------------------------------ Date: Thu, 25 May 95 18:46:58 -0400 From: Iolo Davidson Subject: Novell vs DOS virus (PC) rmalheiro@telepac.com "Rui Malheiro" writes: > This is actualy a Novell question, but... Can file infector virus > infect read-only files on a Netware server? A virus running on your workstation has exactly the same access to server files that you have. If you cannot write to the files (or change their read-only status) than neither can the virus. > Are Novell's Flags diferent from DOS's attributes in this matter? Any user can change DOS file attributes with the ATTRIB command or a DOS call. Not all users have the privileges necessary to do this on a Novell server. Some do, though. - -- LATHER WAS USED A 100 YEARS BY DANIEL BOONE TOO SOON HE LIVED Burma-Shave ------------------------------ Date: Wed, 24 May 95 00:58:21 -0400 From: emd@access2.digex.net (EMD Enterprises) Subject: EMD Armor Plus comments (PC) EMD Enterprises (emd@access3.digex.net) wrote: : Vesselin, : Your comments on EMD Armor Plus virtually amount to slander. You : claim to have examined our product. The fact is, prior to your visit to : our booth at the recent CeBIT show in Hannover, Germany you most likely : never even saw our product. Your colleagues at the University of : Hamburg, Prof. Klaus Brunnstein and Sonke Freitag, confirmed this when : they met me at CeBIT. Since CeBIT was held from March 8-15, and your : posting in Virus-L is dated March 2, I wonder how you can so : authoritatively comment on our product without ever having seen it. : The allegations you have made about our product are quite serious. : Therefore, for the sake of fairness, I ask you to post to Virus-L and : comp.virus newsgroups clear and specific answers to the following : questions. : (a) Have you actually tested or, for that matter, even seen our : product before March 2 when you made these comments? Since ours is a : hardware product, we track where our units are going. According to our : records, and to the best of the knowledge of our European distributors : no units have been sent to you or to the Virus Test Center at the : University of Hamburg. Can you indeed confirm that you have seen our : product before March 2, and from what source you got the product? : (b) If you did indeed have a unit, what tests did you run on it? : You claim that our product "is not much different than any of the other : hardware behaviour blockers on the market. .... In fact, it is rather : worse than some of them." What is the basis of these comments? Have : you run tests comparing EMD Armor Plus to other products that also : claim to provide run time protection? We do feel that our product : provides superior protection at run time. The overwhelming response we : got at CeBIT confirms our belief. If you think otherwise, would you : care to disclose the results of your tests? Vesselin, I find that you have not replied to these specific questions, although you have found plenty of time to trash our product elsewhere in this newsgroup. In this very thread you yourself have mentioned earlier that you first saw EMD Armor Plus at CeBIT in Hannover. So, we now must conclude that you did not see the product before CeBIT although you claimed you did. I will give you the benefit of doubt and not make any assumptions regarding your motives. However, if nothing else I think that this is a telling comment on your lack of thoroughness, and the general unreliability of the comments you make so forcefully and ever so frequently. Enrico DePaolis EMD Enterprises ** Developers of EMD Armor Plus, the generic solution to computer viruses** 606 Baltimore Ave, Suite 205, Towson, MD 21204, U.S.A. Phone: (410) 583-1575 ext. 3020 Email: emd@access.digex.net 24 hour fax-back: (410) 583-1575 ext 4, select document 1015 for EMD Armor Plus ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 60] *****************************************