VIRUS-L Digest Monday, 3 Jul 1995 Volume 8 : Issue 61 Today's Topics: VIRUS-L/comp.virus down time Re: Viruses in binaries? Maybe. Re: virus demos Dr Solomon's on the internet English computer misuse laws Re: Viruses and tape backups Re: Mischief virus, please help. (PC or what?) Definition of "SNAFU" Virus from commercial software? Re: Viruses in binaries? Maybe. Request for help on Virus Demo virus from email? Re: Virus from commercial software? Re: Need resident OS/2 virus watch facility (OS/2) Re: Need resident OS/2 virus watch facility (OS/2) Re: Detecting viruses (PC) Re: Win95 and Anti-virus prorams? (PC) Question - How do I run virstop (F-PROT) on diskless WS? (PC) Flip & Michelangelo (PC) Re: NAV 3.0 - FORM Killing me!!! (PC) Re: Help me, telephonica virus? (PC) Access Control and Virus protection (PC) Re: Boot sector viruses (PC) Is this an EXE virus? (PC) Need help on removing the Stoned(?) virus, (PC) 5Lo Boot Virus? (PC) Re: Novell vs DOS virus (PC) Re: RE: AntiCMOS? LiXi? (PC) Tai-Pan Virus (PC) Novell, Cascade (PC) Monkey Virus (PC) Re: Boot sector viruses (PC) Re: False positive (I think...) Would like assurance (PC) Re: Help me, telephonica virus? (PC) Re: NAV 3.0 - FORM Killing me!!! (PC) Red-Zar / TorNado? (PC) Multiple questions - Commercial software/email/tape (PC) Re: Detecting viruses (PC) Network Virus (PC) Re: Microsoft ships virus intentionally? (PC) Help : hard drive write protected (PC) Vx-proof EXEs ??? (PC) Re: Where can I get AVP 2.2 (PC) Re: Is Natas stealth? (PC) Re: Letters falling to bottom of screen virus (PC) Re: NAV 3.0 - FORM Killing me!!! (PC) Big problem with PS/2 (PC) Re: Monkey Virus and NetBSD (PC) Monkey Virus and NetBSD (PC) WET.B virus payload? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 03 Jul 95 07:42:56 -0400 From: "Kenneth R. van Wyk" Subject: VIRUS-L/comp.virus down time Greetings all: Sorry for the extended down time. The moderator has been away on vacation, and on several business trips. We now return you to your regularly scheduled programming. Cheers, Ken van Wyk VIRUS-L moderator ------------------------------ Date: Thu, 25 May 95 19:29:12 -0400 From: jmccarty@spdmail.spd.dsccc.com (Mike McCarty) Subject: Re: Viruses in binaries? Maybe. Ian Douglas wrote: [nested stuff about using a bug in a file viewer to spread viruses gone] )For the record I have a B.Sc in Computer Science, work as a computer )professional, and have been studying viruses for several years. Is that so. )It is possible in theory, but the chance of it happening is so small as to )be totally discounted. If such a bug existed, then the viewer would )habitually try and execute data, causing a system hang, resulting in the )user dumping the viewer for something decent. Is that so. I suggest you study the InterNet worm, which infected and re-infected several thousand computers using the fact that the GNU Mailer used gets() rather than fgets(), and utilized that to overwrite buffers internal to the mailer. [Moderator's note: The worm actually used a buffer overflow situation in the UNIX finger daemon, not the GNU Mailer.] )I doubt very much if a viewer will branch to some obscure place, possibly )to data, as a result of data which it is just decoding. Certainly not a far )jump. ) )I know you will insist that in THEORY it may, but lets be realistic, ok? Oh, I think the InterNet worm actually happening is pretty realistic. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Fri, 26 May 95 02:52:49 -0400 From: mannig@world-net.sct.fr (Gerard Mannig) Subject: Re: virus demos >>I am scheduled to give a lecture/demonstration to several dozen >>"slightly" PC literate executives, and I would like to find something >>that visually demonstrates how viruses work. > >Sorry, but what you plan to do will give a totally inaccurate impression >of what viruses look like, and what they do. Why not just tell them the >truth ? Agreed, here : there are so *many* things to say about viruses. Its onlyddepends on the time you are given to make your demo. In fact is it nothing but a demo or an abstract of what viruses can do ? >Most viruses do nothing but replicate, and (because of flaws) sometimes make >certain programs not work any more. A few will trash your disk, or corrupt >your data. Agreed, again >>This could be done either by >>harmlessly recreating the effects of a virus (preferably some of the more >>entertaining ones) > >So far I have not seen a single "entertaining" virus. You may be interested in running AntiVIRAL toolkit PRO (AVP). This package ( ranked as 1st by Vesselin BONTCHEV from CARO ) comes with over than 300 viruses demo ( audio and/or visual demos ). It is available on ftp.netcom.com /pub/ka/kapeer Regards, Gerard - ---------------------------------------------------------------------------- - ----- Gerard MANNIG Virus Consultant Phone/FAX : +33 (16) 3559-9344 EMail : mannig@world-net.sct.fr Member of R . E . C . I . F data +33 1 3415-4959 - Voice machine +33 1 3072-9443 - -=-=-=-=-=-= PGP public key available on request -=-=-=-=-=-=-= Obstacles are those frightful things you see when you take your mind off your goals ------------------------------ Date: Fri, 26 May 95 06:40:35 -0400 From: gcluley@sands.co.uk Subject: Dr Solomon's on the internet S&S International, developers of Dr Solomon's Anti-Virus Toolkit and other security products have connected to the Internet. Users can now access drivers for Dr Solomon's Anti-Virus Toolkit via anonymous ftp and the WorldWide Web. The addresses are: WWW http://www.sands.com FTP ftp://ftp.sands.com Regards Graham - --- Graham Cluley Email: gcluley@sands.co.uk Senior Technology Consultant, CompuServe Tech Support: GO DRSOLOMON Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International plc, UK USA Tel: +1 617 273 7400 UK Tel: +44 (0)1296 318700 USA Support: 100443.3703@compuserve.com ------------------------------ Date: Fri, 26 May 95 08:02:07 -0400 From: DNBA1712G@UNIVERSITY-CENTRAL-ENGLAND.AC.UK Subject: English computer misuse laws On Fri, 19 May 95 petteri@pjoy.fi (Petteri Jarvinen) wrote: > Are there any other countries except England where writing > viruses is illegal? What is the penalty, if virus writer is > cought? Writing viruses is not illegal in England. It is an offence under section 2 of our Computer Misuse Act to prepare to carry out an offence under section 3 which covers unauthorised modification of computer materials. So the prosecution has to prove that the virus writer intends to distribute it, e.g. by preparing for a mass mailing or by leaving it on a shared system such that unauthorised modification would result. You can also be convicted in England for going equipped to carry out a burglary or for carrying an offensive weapon with the intention of using it, so the idea of an offense in law based on criminal intent is not new. If a virus escaped through negligence the writer would be liable for civil claims for any damage caused. ./~~~~~\ Richard Kay / /~~~\ \_______________________________________________ | < > LETS: the key to local money that stays around | \ \___/ /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~} {~ .\_____/ | | ftp://scorpion.cowan.edu.au/pub/mlets/foundn.txt |_M_M_| ------------------------------ Date: Fri, 26 May 95 08:57:55 -0400 From: "The Radio Gnome" Subject: Re: Viruses and tape backups >From: kaplan@usernomics.com (Dr. Robert Kaplan) > >I have two questions that someone may have an answer to? >1. If you get a virus, does it effect your tape backup or can you just >format your hard drive and restore from your tape backup? This depends on the tape backup software. Some will do an image backup of the physical device. So if you have a boot virus, it will be restored from the tape. It also depends on the type of virus. If your EXEs are infected, then they will be backed up and restored in that state. What tape SW are you using? Andrew Wing - CNE Lead Applications Analyst Temple University Computer Services "A fool and his net access soon go their separate ways" ------------------------------ Date: Fri, 26 May 95 10:47:16 -0400 From: "A.Appleyard" Subject: Re: Mischief virus, please help. (PC or what?) Kyle Barrow (etazura@ibm.net) wrote: > My PC has been infected with Mischief, a desktop virus. The symptons are > erratic mouse movements every 10 minutes or so. Does anyone know ... Vesselin Bontchev replied:- > Mischief? Desktop? Virus causing erratic mouse movements? There isn't such > thing for the IBM PC - are you sure that you have used the correct Subject: > line? I *think* that there is something like this for the Amiga computers, > but I am not an expert in this area. As regards confusion re what sort of computer: things are NOT helped by Mac recently producing a new model called `Power PC'!!! OK, it a

ersonal omputer! - but to 99% of people `PC' means `IBM-type PC'!!!!! ------------------------------ Date: Fri, 26 May 95 11:24:54 -0400 From: "Tom Zmudzinski" Subject: Definition of "SNAFU" Found on VIRUS-L Digest Friday, 26 May 1995 Volume 8 : Issue 59 > Date: Mon, 22 May 95 21:50:22 -0400 > From: marhal@berlin.snafu.de (Herman the German) > Subject: Re: Stealth Virus (PC) [MASSIVE SNIP] > Herman, the German > marhal@berlin.snafu.de > (P.S.:to all natural english speakers: does the word SNAFU have or intend > any meaning, as i found funny reactions on it? i don't know it at all.) > htg SNAFU is an acronym (a word formed from the initial letter or letters of each of the successive parts or major parts of a compound term; BTW, there is no word for the inverse function so one usually requests writers to "spell out" or "expand" the first use of an acronym). The polite version of "SNAFU" is "Situation Normal, All Fouled-Up". (I'll leave the other version to those inclined to use four letter words.) This was W.W.II slang that was so descriptive of the human condition in general that it has become part of the language. Tom Zmudzinski The preceding information was sent using recycled electrons. Help conserve our irreplaceable Universe by recycling all your subatomic particles, magnetic fields, and mathematical constants. Thank you. ------------------------------ Date: Fri, 26 May 95 16:45:57 -0400 From: Iolo Davidson Subject: Virus from commercial software? davidcho@csulb.edu "David Cho" writes: > Is it possible? Sure. > I have never illegally copied software unto the hard > drive. Everything on my hard drive is from commercial > software disketts. Matters not at all. Why do you think viruses would prefer to infect illegal copies of programs or disks, and how would they be able to tell? > Is it possible to get a virus from these commericial > software companies? Yes, and it has happened. What also happens is that someone buys software from a shop but later returns it for one reason or another. The shop repackages (re-shrinkwraps it even) and sells it to someone else. If the first purchaser had a virus, the software in this one package may be infected, even though the manufacturer takes great care about viruses and can show that other copies are not infected. - -- LATHER WAS USED A 100 YEARS BY DANIEL BOONE TOO SOON HE LIVED Burma-Shave ------------------------------ Date: Fri, 26 May 95 20:53:04 -0400 From: jadestar@netcom.com (JaDe) Subject: Re: Viruses in binaries? Maybe. In days of yore (25 May 1995 11:20:05 -0000) Ian Douglas (iandoug@aztec.co.za) bespake: ::is06@stir.ac.uk (I. Stirling) wrote: ::>: Impossible. Data is DATA. Viewers interpret it, not execute it. How : exactly is ::>: data that is being read going to 'trick' a viewer into doing something it s ::>: not? ::>As below ::>: >Nobody's seen one yet. ::>: I believe this when I see it... ::>: It will only be possible if the viewer was written with that capability in ::>Please do not assume things on subjects you know little about, it is in ::>theory possible to write a virus that takes advantage of a bug in a ::>viewer, causing it to execute the data. This is Very difficult, as ::>first you have to find the bug. fingerd was not written with the "capability in mind" The attack exploited a limitation in the gets() call (as used by that fingerd of overflow a stack frame, placing code and a bogus return address on the stack. Thus "data" was executed. Certainly any given program might have a similar bug in it's data validation. Certainly any program accepting user input data and doing insufficient filtering and validation of that data could be vulnerable. Therefore the possibility exists that a data file (image or otherwise) could deliver just about any conceivable payload through a specific viewer, on a specific platform (or a family of viewers that relied on a specific library). Sure it's unlikely. Sure it would be difficult as all get out. Sure it would spread very slowly and have limited scope. So? This brings me back to the original hoax and the infamous "Good Times" hoax. We (as users) have to ask what sources of information about virii we will "trust." Some (very proficient hacks) will only trust their first hand analysis of a given piece of data/code. Most of us have to place some degree of trust in others. If an individual allows his or her work to be disrupted by an unfounded, implausible rumor -- then the perpetrator of that rumor has effectively "infected" that person as well as any piece of code would have done. If I call up the tech support lines of my favorite anti-virus software vendor in an attempt to confirm every new virus rumor that I hear about -- then my work has been disrupted. I've been "infected" (in a non-technical and abstract extension of the term). Reaching way out there I'm "infected" if I allow the aquisition and operation of my ant-virus software to disrupt my work. So, on a practical level, most of us need to: get one or two reputable AV scanners, implement policies and develope habitual, non-intrusive use of them, and adopt reasonably safe computing practices, and become reasonably knowlegdeable and discriminant about computing in general. ::For the record I have a B.Sc in Computer Science, work as a computer ::professional, and have been studying viruses for several years. For the record I don't have a BS in anything and have supported and worked with many types of software on many platforms for several years. Since I don't claim any credentials people will have to evaluate what I say on it's own merit. ::It is possible in theory, but the chance of it happening is so small as to ::be totally discounted. If such a bug existed, then the viewer would ::habitually try and execute data, causing a system hang, resulting in the ::user dumping the viewer for something decent. ::I doubt very much if a viewer will branch to some obscure place, possibly ::to data, as a result of data which it is just decoding. Certainly not a far ::jump. ::I know you will insist that in THEORY it may, but lets be realistic, ok? It sounds a bit like: in THEORY one could put new code in the boot record or MBR -- but in practice it would be too difficult to put in anything useful and get it to emulate the normal boot cycle so let's be realistic. [The only thing that makes this sound so absurd is that the vast majority of all confirmed infections have been by MBR and BR virii] - -- //////////////////////////////////////////////////////////////////////////// JaDeStar if ( you.can == read (this) ) { you.can.be = a - c[programmer]; } ------------------------------ Date: Sat, 27 May 95 07:07:14 -0400 From: cscally@iol.ie (Chris Scally) Subject: Request for help on Virus Demo If you want to show how viruses are spread on the PCs a little program called Virlab will do this for you. It simulates the boot process and then shows how an infected diskette will infect the PC. ------------------------------ Date: Sat, 27 May 95 10:52:44 -0400 From: Iolo Davidson Subject: virus from email? zr@pipeline.com "Zach Rosen" writes: > is it possible to get a virus from email? Depends. Does anyone mail you executables? > my computer was recently infected with > Monkey-A and I don't recall having downloaded anything. You are more likely to catch this from a floppy disk. It does not have to be a boot disk or have any programs on it. - -- LATHER WAS USED A 100 YEARS BY DANIEL BOONE TOO SOON HE LIVED Burma-Shave ------------------------------ Date: Sat, 27 May 95 11:56:58 -0400 From: mesmer@ix.netcom.com (Harrington/Thomas ) Subject: Re: Virus from commercial software? davidcho@csulb.edu (David Cho) writes: >Is it possible? I have never illegally copied software unto the hard >drive. Everything on my hard drive is from commercial >software disketts. > >Is it possible to get a virus from these commericial software companies? You bet! Sometimes a package leaves the factory already infected -- rare, but a real possibility. Most often the package has been sold at a local store, then returned. The store repackages it, shrink wraps it and puts it back on the shelf. It happenned here in Tampa, FL, USA a couple of years ago when two local companies got infected by the latest version of Lotus 123. - -- Mesmer John Harrington, C.Ht. WWIVNet #1@2732 Tampa, FL ------------------------------ Date: Thu, 25 May 95 22:53:47 -0400 From: jmcging@access.digex.net (John McGing) Subject: Re: Need resident OS/2 virus watch facility (OS/2) norman@flowbee.interaccess.com (Jeffrey S. Norman) writes: >Does anybody make a virus detection program that runs under OS/2 and >continually monitors the system for virus-like activity??? >Please don't mention CPAV for OS/2 -- that product, believe it or not, >only loads a memory resident virus detection program in your dos >sessions. Thier tech support is non-existant (literally) and on the >bboard system their electronic tech support stated that he did not >even intend to test the program with Warp! (my version of vwatch for >OS/2 dos sessions does not run under Warp without practically disabling >my floppy drives in the dos session). If you don't believe me, check >out their Bbs for a laugh (503) 984-5366. You have to log into >the "network and os/2" board. That same tech support person also >stated that he was unware of a need for a virus detection program for >OS/2 since no virii exist for the OS yet. Hmmm. Not a very >comforting thought. I have to wait until someone discovers an OS2 >virus b/f anyone will make a virus detection program????!!! > Anyway, suggestions about the existance of such a program >would be greatly appreciated. Have you considered IBM AntiVirus 2.0 for OS/2 (also for DOS and Windows). I've used it for years now and find it indispensible. JOhn - -- - ------------------------------------------------------------------ jmcging@access.digex.net Nobody knows the troubles I've seen JOHN.PF on GEnie Team OS/2 .... and nobody cares! ------------------------------ Date: Fri, 26 May 95 03:46:38 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Need resident OS/2 virus watch facility (OS/2) >comforting thought. I have to wait until someone discovers an OS2 >virus b/f anyone will make a virus detection program????!!! uh...there are already at least two OS/2 viruses... - -frisk ------------------------------ Date: Fri, 26 May 95 09:25:50 -0400 From: "George (grig@bgearn.acad.bg)" Subject: Re: Detecting viruses (PC) weissel@moon.ph-cip.uni-koeln.de (Wolfgang Weisselberg) wrote: >GRIG@BGEARN.BITNET hit the keys and the net: >>As I read a lot of questions like 'Hi, have I a virus if .....' and as I >>...... >>size and the time of creation of an EXE and COM file from your HDD (best >>if the COM file is COMMAND.COM). >Now there are viruses that do not infect certain files - most commonly >the _COMMAND.COM_ and many AV-products (or names that look like Don't you know, that most commonly COMMAND.COM is infected first? >AV-programs: they might have SC in the name or something like that...). I haven't told any one to use an AV as such file. >Other viruses are quite chosey when it comes to minimum or maximum >lengths (e.g. tremor only wants exe-files bigger than (ca.) 10kB) or do >not infect programs with overlays ... I haven't told that this way one will catch all viruses. In case if the EXE is < 10kb, Tremor will not be found. >>So when you suspect you have a virus, compare the previous and the current >>file sizes and times (datas) of creation. >Every self-respecting virus nowadays restores the time - often using DOS. Do you know exactly what you want from me? >From one hand, you say that I have missed a lot of things, and from other hand, you say that it is useless to check the date(time) of creation, I think: the more-the better. >There are some viruses that do not at all change the length of the files >- - they hide in empty parts of the header or in the program itself - if >they cannot find enough, they will probably not infect. Hm, tell us how to detect such a viruses without AV? >There is at least one virus that packs the program it infects so it might >even be shorter after infection (works like LZ-exe or diet or com2exe or ...) . or PkLite, but back to the question. May be. I don't want to confuse readers, just as you are trying to. >Other viruses do infect directories - no file is changed - but you'll see >every infected file as crosslinked if starting from a clean boot disk ... >And then there are the plain basic old boot-viruses ... Of course, it would be very interesting if they dissapear. >>REMEMBER: It is not obligatorily that you do not have a virus if file sizes >>are unchanged and remember that this way you will not find the STEALTH >>viruses. >Try becoming a politician! :) Or say clearly that your method is not >working for most viruses! :( Not most, but what do you think the note: "REMEMBER: It is not..." means? >Why do you not even MENTION clean(!) boot disks? You know, there must be work for people like you - people knowing too much, commenting other's suggestions, and not trying to help others with anything. >>If the size is changed, please report and don't forget to add the >>information about the name, the original and changed file size, the times >>of creation (if they differ). >F-Prot, AVP and TBAV will report many more things - like real virus names >- - and might be well able to remove these beasts. Of course you should >REALLY use a clean boot disk and should really not _start_ any programs - >including(!) AV-software - from the hard disk! To report names and clean the viruses? Wolfgang, you have missed something, we are talking about new viruses! >>Hope, I've helped >Not much :-( Is this only your oppinion? Oppinion of proffesional I suppose. As already two comments were sent, on Monday 29 I will post a complete virus detecting method. But I won't answer questions about the document size and I won't be guilty if most of the people don't understand it! Best wishes, George Bitnet E-Mail: grig@bgearn.bitnet "Who is laughing at the scar, Internet: grig@bgearn.acad.bg doesn't know what is wound" - Shakespeare ------------------------------ Date: Thu, 25 May 95 19:13:34 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: Win95 and Anti-virus prorams? (PC) nharvey@dircon.co.uk (Nick Harvey) says: >io92721@maine.maine.edu says... > >>I am running Windows 95, the Preview version(M8). I would like very much >>to get some virus protection back in my PC. I have seen Carmel's AV, but >>it doesn't work as I can see. Does anyone have any Anti-virus running >>smoothly under WIN95?? If so, would you mind giving me and the other >>Win95'ers get this protection? > >I've been using F-Prot 2.17 with Windows 95 Preview and not had any >problems. It's picked up a couple of disks with Form on for me. Same here except I just noticed that virstop does nothing when you restart Windows 95. There's no CTL-ALT-DEL key sequence to grab on to. That's not too serious for me since I almost always do DOS DIR commands when I first insert the floppy in the drive and that catches the boot sector viruses. Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Thu, 25 May 95 19:31:10 -0400 From: Iolo Davidson Subject: Question - How do I run virstop (F-PROT) on diskless WS? (PC) ccbb@kudu.ru.ac.za "Bo Bonnevie" writes: > I want to run virstop (from F-PROT) on diskless workstations, i.e. > they have no hard disk, but at least an a: drive. The workstations are > attached to a Novell 3.1x network. These workstations load their boot > images from the file servers. > > The problem I have is this: Once virstop is loaded in memory it expects > that there is a floppy in the a: drive and so continuously searches the disk > which is not there. This slows down the login process particularly badly, > but also causes some other strange problems. I have seen this problem with a different product. I think the fix was to put SET COMSPEC=P:\DOS\COMMAND.COM at the end of the autoexec.bat in the boot image (where P:\DOS is the path to the DOS files on the network). I this doesn't help, at least you can get a laugh out of me doing tech support for Frisk. - -- LATHER WAS USED A 100 YEARS BY DANIEL BOONE TOO SOON HE LIVED Burma-Shave ------------------------------ Date: Thu, 25 May 95 19:31:12 -0400 From: Iolo Davidson Subject: Flip & Michelangelo (PC) ae515@lafn.org "Victor King" writes: > I have two separate computers, one infected in both memory and 5% of the > files with Flip, the other infected with Angelo. Any recommendations on > the safest way to get rid of these things? The MS-DOS 6.2 scanner > doesn't even see these viruses. So what does see them? Both of these have been around a long time and should be recognised by MSofts notorious scanner (assuming "Angelo" is Michelangelo and not Angel or Angelina). Both Flip and Michelangelo can damage your data (Flip due to an incompatibility with >32Mb hd partitions), so better get an anti-virus that can handle them. - -- LATHER WAS USED A 100 YEARS BY DANIEL BOONE TOO SOON HE LIVED Burma-Shave ------------------------------ Date: Thu, 25 May 95 19:36:05 -0400 From: jmccarty@spdmail.spd.dsccc.com (Mike McCarty) Subject: Re: NAV 3.0 - FORM Killing me!!! (PC) Owen Gee wrote: )My system has the FORM virus resident in memory. )Norton Anti-Virus 3.0 scans and finds the virus every time )I boot the system and it will not stop. I've tried to by pass )Norton and cannot for some reason. Norton halts the system before )I can get to the c:> prompt and do anything. ) )Cannot boot from drive a: either. What must I do??? ) )Steve in Atlanta Hello, Steve: You do not explain why you cannot boot from A:. Symptoms? I suggest: Turn off computer. Turn on computer. Before boot begins, enter CMOS setup, and make sure that booting from A: is enabled. Put a known uninfected, write-protected, bootable floppy in A: Proceed with boot. Check whether you can access the hard drive normally. Put a known uninfected, write-protected floppy with a virus scanner in A: and scan your hard drive. Now you should have more information. Some viruses are pretty good at hiding when they are active, but show up when not in memory. If you need more help, you may contact me via e-mail, or ask the others on the net (most at least are pretty helpful). I will be on vacation all next week, however. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 25 May 95 19:40:09 -0400 From: jmccarty@spdmail.spd.dsccc.com (Mike McCarty) Subject: Re: Help me, telephonica virus? (PC) Adam J Kightley wrote: )Gloona@info.swan.ac.uk believes: )> hard drive.On scanning the computer it said there was Telephonica Virus )> present and to boot up from clean floppy. but "Scan" showed there was )> nothing present on the disk. I found the person in charge )> of these computers and showed him the information, thinking he might )> want to be told. He's now taken all my disks and banned me from all )> computers in the Engineering section. He claimed I had infected his )> computers with a Virus...but he has failed to check them with a more ) ) *sigh* ) ) With people like this in charge, viruses have an easy time. ) ) Now every user in the Engineering section will know that if one finds )a virus, one must under no circumstances tell anyone in authority about )it, because telling authority will result in disk confiscation and usage )bars. Nobody will report viruses, or even tell other users if they )detect one, because that results in a lot of trouble. The virus spreads )and is only detected when it reaches a manager's machine. ) ) In my job, whenever a user comes to me with an infection, I ensure they )are treated especially well. I disinfect, check their data, explain how Would that everyone were as enlightened as you. I commend you. I have a friend who I am going to help tonight. I am pretty sure he is infected with a virus. He bought a computer from a friend. Said friend set him up with a bunch of software etc. installed. Pretty nice guy. Now my friend is having some troubles which -really- sound like a virus infection. I suggested to him that he tell his friend. His friend scanned, and found that -he- definitely -is- infected (dunno with what). Now he won't talk to my friend. But this guy is probably the one who infected my friend. GO FIGURE! He's responsible (most likely) but blames they guy he infected! Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 25 May 95 19:59:49 -0400 From: msafe@primenet.com (Abe Oren) Subject: Access Control and Virus protection (PC) NEW DOS UTILITY: M & T TECHNOLOGIES' MICROSAFE ACCESS CONTROL ============================================================= Submitted by: Abe Oren (msafe@primenet.com) Source: Fred Mobbs, CEO, M & T Technologies, Inc. Date received: 1995 May 10 Date posted: 1995 May 25 - ------------------------------------------------------------------------------- NEWS RELEASE Contact: Fred Mobbs, 602-994-5131 M & T Technologies, Inc. MicroSAFE Announces Power-On Access Control Security System for DOS/WINDOWS and version for OS/2 (2.1) and WARP. Scottsdale, AZ. -- M & T Technologies, Inc. has announced that it is shipping its Access Contrl information security system . The new system is called MicroSAFE Access Control. It provides access protection to information stored on the hard disk of both PCs and Laptops in stand alone mode or LAN workstations. According to Fred Mobbs, M & T Technologies' chairman and CEO, "The explosive growth of PC in the marketplace has led to the increased use of PC's & LANs, portables and home based computers. This has created an opportunity for M & T Technologies to provide our state-of-the-art access control in this growing market." The MicroSAFE(tm) Access Control was referred to as "a hard-to beat program that sits on your hard drive and locks it up tighter than Fort Knox" in the April '95 issue of Mobile Office magazine. The same article stated, "an Access Control-protected hard drive is as safe as modern technology can make it." Security From the Moment Power is Turned On - ------------------------------------------- MicroSAFE's unique Access Control technology secures the hard drive the moment the computer is turned on. Only after entering the appropriate security password will the operating system be loaded and access to the information permitted. This federally copyrighted methodology protects data in this vulnerable period during the booting sequence. Consumes No Program Application Memory - -------------------------------------- MicroSAFE's Access Control uses no device drivers or TSRs. Therefore, a potential hacker can not merely change or remove the device drivers or TSRs to thwart the security. These features also protect against various tools used to access information stored on hard disks. An additional benefit is that once the system is installed it becomes completely transparent to the user and does not take any memory away from program applications. This makes the system virtually impossible for a hacker to identify. And, they can't defeat what they can't find. Prevents Hard Drive Access When Booted From Drive A - --------------------------------------------------- Another common way to compromise protected data on a hard drive is to boot from the A drive. MicroSAFE Access Control protects information on the hard drive even if booted from the A drive. A user can still boot from the A drive and use the computer. However, there is no access to information on the hard drive without the password. This level of protection is particularly important in instances where the entire PC or laptop is stolen. Even if a hard drive is transplanted, information stored on it remains inaccessible. The system's password control feature provides users the ability to select individual passwords and the length of time a password is valid. This protects against another common threat - hackers setting the computer's clock forward to standard intervals at which most passwords are to be reset. Provides Boot sector virus Protection - ------------------------------------- As the protection blocks any access to the Hard Disk while booting from the drive A, NO BOOT-SECTOR virus such as Stone virus, Michaelangelo, etc... can infect the Hard Disk boot record. The ONLY way a BOOT-SECTOR virus can infect the hard Disk boot sector is by booting it from an infected diskette. Pricing - ------- The system will retail for $39.95 and volume discounts are available. For additional information or to place an order contact Fred Mobbs at 602-994-5131. M & T Technologies, Inc. is a Scottsdale, Arizona-based company which develops and markets the MicroSAFE family of information protection software products. MicroSAFE products provide computer users with a wide variety of highly secure and technically advanced information security options, including: early warning virus protection; access control for PCs and laptops; data encryption; screen blanking with password protection; and more. Other MicroSAFE products include: MicroSAFE Laptop, MicroSAFE Basic, MicroSAFE Extended, MicroSAFE Private Screen(tm), MicroSAFE +E (for the education market), KidSAFE(tm), MicroSAFE Anti-Virus "System Integrity Check" and the SecureDisk(tm) Information protection for any disk media (Floppy, Hard Disk, Removable, PCMCIA etc... END OF FILE msafe@primenet.com - ------------------- Abe E. Oren VP Engineering M & T Technologies, Inc. Tel. Office: (602) 994 5131 FAX: (602) 994 1336 BBS: (602) 994 1797 ------------------------------ Date: Thu, 25 May 95 20:40:29 -0400 From: cccenlib@ccnet.com (Central Library) Subject: Re: Boot sector viruses (PC) Charles Chew T.C. (tcchew@merlion.singnet.com.sg) wrote: : Hii there, : I heard that all boot-sector viruses can be cleared by typing "fdisk /mbr" : at the dos prompt. Is it true? Not exactly... First, you need to be running DOS vsn 5.0 or later (to have that FDISK switch available at all). Second, the command WILL clear the *code* portion of the HD MBR, and replace it with legit MBR booting code, but will do nothing to the *partition table* portion of the sector; if the beastie in question has moved the p-table somewhere else (to be reconstructed by the viral code during bootup), or encrypted it, or done some other form of tampering with it (and some boot virii, like Monkey, do such meddling), the command will leave you without a DOS-recognizable hard drive. Third, flattening a virus in the MBR does nothing to wipe out an infection that may still be live in memory (and if you booted clean from a floppy, one of the p-table tamperers may have left your HD unrecognizable) ; powering down (immediately) after clearing a boot virus from your HD is a standard precaution. Fourth, some boot infectors (Form comes to mind) go for the HD *boot* sector, rather than the *MBR* sector, and the FDISK stunt won't do anything about *that* location. If you must try FDISK without a clue as to whether it's appropriate for the infection at hand (and after reading this, I hope you'll learn more about the subject instead...), at least back up the MBR track so you can rewrite the contents (Yes, if it was infected when you backed it up, it will still be infected when you write it back down; by the same token, if you backed it up when it was clean, you can write it back down clean... in some cases, this is a quick&dirty way to clean out an MBR virus -- but still power down afterwards), if FDISK sends your HD into limbo. One little package for reading/writing trk 0 can be found in COLUMBUS.ZIP, available by ftp from oak.oakland.edu/SimTel/msdos/virus and other fine purveyors of shareware. Cheers, Inconnu - -- *********************************************************************** *** This is a public access account provided by the Central branch *** *** of the Contra Costa County Library. Literally anyone can be *** *** using it to send this message. Their views are their own, and *** *** do not reflect those of the Contra Costa County Library. *** *********************************************************************** ------------------------------ Date: Fri, 26 May 95 01:12:28 +0000 From: mikel@crash.cts.com (Mike Lemons) Subject: Is this an EXE virus? (PC) The FoxPro Development System creates something called a "Compact EXE" that you can run from the DOS command line. It's not really an EXE file but it has enough smarts to find the FoxPro runtime modules and transfer control to them and then execute like interpretted code. One of the programs that I built today, called VFILE.EXE, produced an error, "Invalid FoxPro runtime format" when I tryed to execute it from the command line. The file actually grows larger the first time I try to run it. It is bad from then on. I rebuilt and executed over and over trying to figure out what I was doing wrong. I rebooted my computer and it quit doing it. I can run VFILE over and over again with no problem. I'm thinking that some virus changed the file, but since the file format is different from a true EXE, the invasion failed. I've run a virus scan on my disk, but it reported nothing. I did a binary compare on the two files. Some words in the EXE header were changed. A lot was changed at offset 2970. Does this look like a deliberate attack or just a bug in FoxPro? VFILE EXE 51,286 05-25-95 4:05p BAD EXE 51,952 05-25-95 4:03p vfile.exe <-> bad.exe: 00000000: 4D 5A 5A 01 15 00 06 00 - 04 00 A2 00 FF FF B3 02 MZZ............. 00000000: 4D 5A F0 00 66 00 06 00 - 04 00 A2 00 FF FF 00 00 MZ..f........... ^^ ^^ ^^ ^^ ^^ 00000010: 00 08 00 00 48 10 00 00 - 20 00 00 00 00 00 00 00 ....H... ....... 00000010: FF FF 00 00 16 C8 00 00 - 20 00 00 00 00 00 00 00 ........ ....... ^^ ^^ ^^ ^^ 00002970: 3C 0F 02 A3 30 2D 3A 8F - 67 31 22 E3 E8 75 82 D6 <...0-:.g1"..u.. 00002970: 04 3F C0 F1 12 23 04 DF - 35 C0 D9 B0 0A AB 8C A5 .?...#..5....... ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ 00002980: A9 FE 3D 9A 8D 71 46 B2 - 04 35 E0 4B 82 5C 6D 2F ..=..qF..5.K.\m/ 00002980: EA A7 35 94 16 90 87 1F - 05 B9 60 AA 1C 65 60 4E ..5.......`..e`N ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ 00002990: 09 83 A7 5B B0 5E EB A5 - 1B 31 2B DF 18 66 82 E4 ...[.^...1+..f.. 00002990: 0B E4 03 2B 72 BC 31 FB - 79 93 63 F4 99 D4 C4 C2 ...+r.1.y.c..... ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ 000029A0: 2E E0 8E 00 55 3B 37 6C - 43 D0 93 91 53 6A F9 48 ....U;7lC...Sj.H 000029A0: 27 01 42 23 D4 48 94 67 - 54 69 6C 72 42 A0 39 67 '.B#.H.gTilrB.9g ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ 000029B0: 97 4A AB 03 E8 FA 1A 31 - D8 CB 2B F3 13 DC 23 D3 .J.....1..+...#. 000029B0: 09 EA EA E0 46 D9 28 52 - 5E 75 FB 37 B1 FE 79 34 ....F.(R^u.7..y4 ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ etc., etc. - -- Mike Lemons | "In 20th-century Old Earth, a fast food chain mikel@crash.cts.com| took dead cow meat, fried it in grease, added | carcinogens, wrapped it in petroleum-based foam, | and sold 900,000,000,000 units. Human Beings. | Go figure." Dan Simmons - Hyperion ------------------------------ Date: Thu, 25 May 95 22:05:45 -0400 From: Fritz Muehlhausen Subject: Need help on removing the Stoned(?) virus, (PC) Hello, all! This is the first time i've been on this newsgoup, because it is the first time I have ever had a virus! I am pretty sure I have one of the versions of the stoned virus, and am asking for removal advice. The symptoms I've noted include: A total conventional memory loss (according to MEM) from 639k(usual) to 638k. Also, the 32-bit disk access driver for windows will not load, it reports: unrecognized disk software installed. I read about the monkey virus a few days ago, and dicided to boot off a clean floppy to see if I could get to c:... After doing so, Both my IDE hard drives (C:, D:) could not be recognized. So, I got the shareware version of f-prot, and ran it from my hard drives (booted normally, no diskette). It detected the stoned virus in memory. I ran Microsoft anti-virus, the one that comes with my version of MS_DOS(6.2), and found no such errors. I cold-booted inbetween the checks of the two software packages, and the f-prot still says I have the stoned virus in memory. I decided that I probably do have some type of MBR virus. Unfortionally, I have never made a backup copy of the MBR, because I don't know how. Since this is my first time ever to deal with a virus, I decided to write for help.... By the way, I have a 1995 version of the shareware f-prot, and have 1992 phoenix BIOS, if that is any help. Any suggestions would be most appreciated!! Please respond!! Thanks a bunch! Fritz Muehlhausen ------------------------------ Date: Thu, 25 May 95 22:52:48 -0400 From: tcumming@chat.carleton.ca (Todd Cummings) Subject: 5Lo Boot Virus? (PC) Can anyone e-mail me some info about the 5Lo Boot Virus? All that I can find is info about the 5Lo Virus. What are 5Lo Boot's aliases? What is its payload? What is a good cleaner for it? Thanks, - ---------------------------------------------------------------------- Todd Cummings tcumming@chat.carleton.ca Ottawa, Ontario al918@freenet.carleton.ca CANADA ------------------------------ Date: Thu, 25 May 95 23:51:37 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: Novell vs DOS virus (PC) rmalheiro@telepac.com (Rui Malheiro) writes: >Date: 24 May 1995 18:01:21 -0000 >This is actualy a Novell question, but... Can file infector virus infect read- >only files on a Netware server? Yes. >Are Novell's Flags diferent from DOS's attributes in this matter? No. However, _if_ you set your _trustee permissions_ so that users don't have write access to programs, or program directories, on the server, _then_ a virus can't infect, unless the supervisor lets it in, of course. ------------------------------ Date: Fri, 26 May 95 00:00:09 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: RE: AntiCMOS? LiXi? (PC) hendk@explorer.sasknet.sk.ca (keith hendren) writes: >Date: 25 May 1995 11:20:22 -0000 >didn't happen here). I did however notice that the time stamps on some of >my DOS >files were incremented by 5-7 hours (eg. 6.22am became 1.22pm). Though I >did >replace the files which I noticed were affected, I am left concerned that I >may not >have yet reversed all the effects of the virus(es?). I'm not sure what changed your time stamps, but you can be confident that it wasn't either version of AntiCmos. ------------------------------ Date: Fri, 26 May 95 00:11:36 -0400 From: jzinger@hookup.net (John Zinger) Subject: Tai-Pan Virus (PC) I just encountered the Tai-Pan Virus on my PC. I found it with F-Prot but there was no information on this virus. It reported a companion virus called Maaike.250. Can anyone help me with details on this virus? ------------------------------ Date: Fri, 26 May 95 04:32:47 -0400 From: David Hanson Subject: Novell, Cascade (PC) >From: rmalheiro@telepac.com (Rui Malheiro) >This is actualy a Novell question, but... Can file infector virus infect read- >only files on a Netware server? Are Novell's Flags diferent from DOS's >attributes in this matter? Novell's (I assume you are talking about NetWare) flags are different from DOS's flags. Unless a virus were specifically written to somehow bypass NetWare's security, it would be unable to write to a NW-flagged Ro file. The best way to protect your network is to only give the necessary rights to the necessary files to get the job done. And -never- log in as supervisor/admin unless you are *sure* that you are working from a clean workstation. And don't use supervisor/admin any more than is absolutely necessary. Use a normal user account unless you really need supervisor access, then only use supervisor for as long as it is necessary then switch back to normal user. >From: srozhon@ix.netcom.com (Sandra Rozhon) >Can someone tell me what virus causes words to disassemble and the >letters to randomly fall to the bottom of the screen? CASCADE has been known to do that... Dave Hanson Armed Forces Recreation Center Europe Garmisch-Partenkirchen Germany afrc-mis@email.augsburg.army.mil ------------------------------ Date: Fri, 26 May 95 05:25:39 -0400 From: en048@cleveland.Freenet.Edu (Bill Burkhart) Subject: Monkey Virus (PC) Hi, I have a friend whose hard drive was trashed. AT Best Buy, they told him his system had been infected by the "Monkey Virus". I checked a few manuals, but couldn't find anything on this virus. Is there such a thing as a "Monkey Virus" and if so, what does it do to a 486 hard drive? I don't have good access to this USENET BBS, and would appreciate any help that you could give me by e-mailing me direct at: en048@cleveland.freenet.edu Thanks alots, Bill Burkhart ------------------------------ Date: Fri, 26 May 95 05:35:11 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Boot sector viruses (PC) tcchew@merlion.singnet.com.sg (Charles Chew T.C.) writes: >Hii there, > I heard that all boot-sector viruses can be cleared by typing "fdisk /mbr" >at the dos prompt. Is it true? No. 1) you have to boot from a clean disk first - otherwise the virus might re-infect right away. 2) some boot sector viruses infect the DOS boot sector, not the MBR 3) with some viruses (like monkey) and some hardware, this will remove the virus all right, but has the side-effect of making the machine unbootable. - -frisk ------------------------------ Date: Fri, 26 May 95 05:38:06 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: False positive (I think...) Would like assurance (PC) goetz@dip.eecs.umich.edu (Peter Goetz) writes: >without scanning the disk. It said there were traces of TYPO BOOT >found in memory. false alarm. >said it found traces of Diamond-RS. I did scan /boot twice in a row and >got two different virus names. false alarm again > I then got F-Prot 2.17 and the 4/13/95 McAfee version. Neither of >them complained at all even when I used them to scan ALL files, in neither >the Secure Scan nor in Heuristics modes of F-Prot (I scanned with F-Prot >before I had the new McAfee version). I tried V.2.1.210 again, and it >gave me a _different_ virus name. false alarm again. > THEN I tried the _NEW_ McAfee scanner, and it the system halted: > ON BOARD PARITY ERROR > ADDR(HEX) = (4000:580E) > SYSTEM HALTED probably a hardware conflict >1. F-Prot - "possibly a variant of November_17th" found in CLEAN.DAT of > the new McAfee version a false alarm - they should have fixed this one by now. > I figure that there is no real virus. right. - -frisk ------------------------------ Date: Fri, 26 May 95 05:42:50 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Help me, telephonica virus? (PC) Gloona@info.swan.ac.uk believes: > hard drive.On scanning the computer it said there was Telephonica Virus > present and to boot up from clean floppy. but "Scan" showed there was > nothing present on the disk. I found the person in charge > of these computers and showed him the information, thinking he might > want to be told. He's now taken all my disks and banned me from all > computers in the Engineering section. He claimed I had infected his > computers with a Virus...but he has failed to check them with a more Assuming that there is indeed no virus there, well...you have a VERY INCOMPETENT person in charge of the situation there. Reports of Telefonica in memory (and nothing on the disk) have in the past usually been caused by somebody running the Central-Point anti-virus programs and then some other AV software (CPAV just isn't compatible with anything else). - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Fri, 26 May 95 05:43:49 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: NAV 3.0 - FORM Killing me!!! (PC) steve@vp-14.eushc.org (Owen Gee) writes: >Cannot boot from drive a: either. What must I do??? change the CMOS setting so that you can boot from A:, do so, then clean the virus. - -frisk ------------------------------ Date: Fri, 26 May 95 12:54:59 +0200 From: "Eydbj. Augustinussen" Subject: Red-Zar / TorNado? (PC) Has anyone come across a virus with this string? I have seen it for some time now, but none of my scanners recognize it as a virus. Symptoms: - body includes the text "[ Red-Zar / TorNado ]" - infects .COM files, including COMMAND.COM - size grows by 461 bytes - if I infect a fresh copy of a file twice, the two versions will be different I had a similar experience some time ago, same size, but: - with no plain text in the body. - TBAV 6.32 flagged it as a possible virus - heuristic flags: cFS#EDU - F-PROT 2.17 identified it as "New or modified variant of VCL" Finally, the new version infects files, that are infected with the old version. Scanners: TBAV 6.32 TBAV 6.34 F-PROT 2.17 McAfee Scan v. 2.20 Microsof AV (DOS 6.20) Eydbj. Augustinussen Kollegiebakken 9, 2801 DK-2800 Lyngby Denmark d93206@rix02.lyngbyes.dk ------------------------------ Date: Fri, 26 May 95 08:50:36 -0400 From: David Hanson Subject: Multiple questions - Commercial software/email/tape (PC) >From: davidcho@csulb.edu (David Cho) >Is it possible to get a virus from these commericial software companies? It most certainly is. The two times we had virus incidents, the source was found to be software we purchased. In addition, some computer stores will take a return of software, re-shrink wrap it and sell it again. Nowhere to run, nowhere to hide... >From: zr@pipeline.com (Zach Rosen) >is it possible to get a virus from email? my computer was recently >infected with Monkey-A and I don't recall having downloaded anything. just >email through internet While I won't say it is impossible, it is -highly- improbable, assuming that all you have done is email, and haven't decoded and executed any files. I think that MONKEY is a boot sector virus, so it would have come to you via a diskette or a dropper program. Remember, you have to somehow -execute- a virus to get infected, which means that you have to somehow execute its host. Leaving a diskette in your drive and rebooting can infect you with a boot sector infector, even if you get the message "Non-bootable disk or disk error, remove and press any key to continue". In other words, accidently trying to boot from an infected, non-bootable, diskette can infect you. Setting your BIOS (setup program) to boot only from the hard drive will go a long way in protecting you from boot sector virus. >From: kaplan@usernomics.com (Dr. Robert Kaplan) >1. If you get a virus, does it effect your tape backup or can you just >format your hard drive and restore from your tape backup? It depends if the virus you get infects boot sectors or files. In the case of a boot sector virus, you can clean the virus off of the drive and then reload from tape. Notice that I -didn't - say format, I said -clean-. In most boot sector cases, formatting the drive accomplishes nothing in the way of virus removal. In the case of a file infector, it depends on how soon you detected the virus and whether or not you have backed up any infected files. Tape will not protect you from a file infecting virus, and it will happily back up infected files as easily as uninfected ones. Do this enough times when you are infected and soon you will not have any more clean backups to restore from. That is why it is important to detect file infectors as early as possible. >2. Does anyone know how to get updates for Thunderbyte, F-Prot, & >McAfee? (any opinions on these?) I have no experience with Thunderbyte. I refuse to use McAfee because of its inability to perform exact identification (ever hear of the GENB/GENP virus?). That leaves FPROT which is up near the top of the heap, updates available at just about any public archive. You may also want to look at AVP - I haven't used it, but I hear good things about it. >Thanks a lot, You are all quite welcome. Dave Hanson Armed Forces Recreation Center Europe Garmisch-Partenkirchen Germany afrc-mis@email.augsburg.army.mil ------------------------------ Date: Fri, 26 May 95 09:27:50 -0400 From: "George (grig@bgearn.acad.bg)" Subject: Re: Detecting viruses (PC) swidlake@rl.ac.uk (S Widlake) wrote: >From: "George (GRIG@BGEARN.BITNET)" >>..... >>So when you suspect you have a virus, compare the previous and the current >>file sizes and times (datas) of creation. >If your going to use a late warning method such as this why not automate >the process by using something like: >DIR C:\DOS\*.* > \DOS-TEST.TXT I was about to congretulate you, but after some meditation I found a little error - adding a new file to the directory will cause a false alarm. >You could do a similar thing with "MEM /C > \MEM-TEST.TXT" to check your >memory. The same thing here. If one has installed new TSR, another false alarm will occure. >You could write a .BAT file or four to automatically check these >things and add them to - or call them from - your autoexec. There is already program to do these things for you. You can obtain a copy of it from any SimTel mirror site in the /msdos/virus directory filename of CM8105C.ZIP or if a new version is uploaded, CM8105D.ZIP or smth like that. Best wishes, George Bitnet E-mail: grig@bgearn.bitnet If people who know, don't teach those Internet: grig@bgearn.acad.bg who don't, soon noone will know anything! ------------------------------ Date: Fri, 26 May 95 10:39:03 -0400 From: proton@prairienet.org (Clint Sulis) Subject: Network Virus (PC) Does anyone out there know of a Virus that has the ability to transmit itself across a LAN such as Lantastic or Netware? Please reply via email. Thanks alot! - -- - - - - - - - - - - - - - - - -=> P R O T O N <=- - - - - - - - - - - - - ------------------------------ Date: Fri, 26 May 95 10:53:00 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: Microsoft ships virus intentionally? (PC) Kevin Marks says: >This showed up in comp.risks. >Anyone got any more information? > >Date: Wed, 17 May 95 13:44:40 EDT >From: cnorloff@tecnet1.jcte.jcs.mil >Subject: Microsoft plans corporate espionage > > Microsoft officials confirm that beta versions of Windows 95 include a > small viral routine called Registration Wizard. It interrogates every > system on a network gathering intelligence on what software is being run > on which machine. It then creates a complete listing of both >Microsoft's > and competitors' products by machine, which it reports to Microsoft when > customers sign up for Microsoft's Network Services, due for launch later > this year. > >"In Short" column, page 88, _Information Week_ magazine, May 22, 1995 > >The implications of this action, and the attitude of Microsoft to plan >such action, beggars the imagination. > >Chris Norloff cnorloff@tecnet1.jcte.jcs.mil > Try reading the rebuttal in the next comp.risks which is a bit more factual. While Microsoft included a registration wizard in the Windows 95 pre-release, it certainly isn't a virus. Nor does it scan the network as the article claimed. It does gather information on your PC which it displays and then asks if you want to include this information in the dial-up registration. You can say no. Even better in my opinion, you can cancel the registration action completely. Even if Microsoft's intentions are good, their collection method is suspect. There is no easy way for you to ensure that they are only collecting what they say they are. I suspect that enough furor will be raised that Microsoft will drop the whole idea and go back to the old-fashoned paper registration where you control the information. Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Fri, 26 May 95 11:06:58 -0400 From: garcia@mr.insa-tlse.fr (Dorian) Subject: Help : hard drive write protected (PC) Help ! My hard drive is protected against write attempts ! When I start running F-Prot, no virus is found. What can I do ? Thanks in advance. Dorian. E-Mail: garcia@mr.insa-tlse.fr ------------------------------ Date: Fri, 26 May 95 11:09:08 -0400 From: Steven Lorch Subject: Vx-proof EXEs ??? (PC) Greetz, A couple of questions for the resident gurus: 1. I have been considering adding some code to my programs to block certain memory-resident file infectors. Basically, I want to overwrite the file on disk with the loaded image in memory. If my thinking isn't seriously flawed, I believe that many memory-resident beasties infect by using the clean image and then adding their own code on the way back out to the disk. By writing out a clean image myself (after any virus activity) wouldn't I effectively overwrite any infected file? I know this technique has some problems (oops, reboot in the middle of my write!) and some limitations (does nothing about direct action infectors). And yes, I realize an already infected file will not be cleaned, but it wouldn't be harmed either. I'd appreciate some thoughts on this technique. 2. There seems to be a lot of VSUM - bashing here. Is that document really so inaccurate? If so, why? I would think that the close proximity to Mcafee Associates ( both in Santa Clara, Calif. USA) would enable the easy exchange of code samples. Yes, I too laugh at Ms. Hoffman's refusal to allow heuristic scanning during her certifications. err, welcome to the real world Patty.... ************************************************************ * Steve Lorch EG&G, Inc. "lorchs@wasc.egginc.com" * New London, Ct. USA ************************************************************ ------------------------------ Date: Fri, 26 May 95 11:24:50 -0400 From: kapeer@netcom.com (Keith Peer) Subject: Re: Where can I get AVP 2.2 (PC) AVP version 2.2 is not shareware and must be obtained from a distributor or dealer. Version 2.1 is the latest shareware/evaluation version and can be obtained from ftp.netcom.com pub/ka/kapeer look for the files avp21bas.zip and avp21upd.zip. Keith - -- ===================================================== | Keith A. Peer US Distributor | | Central Command Inc. for AVP & HS | | P.O. Box 856 | | Brunswick, Ohio 44212 --------------------- | | 216-273-2820 | PGP Key Available | | | e-mail: kapeer@netcom.com --------------------- | | ftp: ftp.netcom.com pub/ka/kapeer | ===================================================== ------------------------------ Date: Fri, 26 May 95 12:57:58 -0400 From: weissel@sun.ph-cip.uni-koeln.de (Wolfgang Weisselberg) Subject: Re: Is Natas stealth? (PC) "A.Appleyard" (A.APPLEYARD@fs2.mt.umist.ac.uk) wrote: :->I have just had a battle with Natas. Sometimes it was in the boot sector in :->the double form: NATAS and NATAS+exr (or similar), which SCAN can't remove. :->When I booted from C:, VET found nothing. When I booted from a floppy, VET :->found viruses as usual. Why is this? Stealth Virus. Always run an AV-Program after booting from a clean bootdisk - else see above. The virus hides. TBAV and AVP can sometimes still get a stealth virus, but that's not granted ... :-> Please when will SCAN be able to remove the abovementioned double type of :->boot-NATAS? I have now found it several times here. Use a better program: AVP, F-Prot, TBAV. Especiallt AVP is known to be able to remove almost every removable virus it knows. F-Prot will get most common ones removed. TBAV can SOMETIMES remove unknown viruses too, but use it only as a secondary method. TBAV can also "imunize" your HD (a new bootsector), it works ok against many common bootviruses, but not against all. TBAV can also restore a saved bootsector from a floppy. - - Wolfgang ------------------------------ Date: Fri, 26 May 95 13:00:07 -0400 From: weissel@sun.ph-cip.uni-koeln.de (Wolfgang Weisselberg) Subject: Re: Letters falling to bottom of screen virus (PC) Sandra Rozhon (srozhon@ix.netcom.com) wrote: :->Can someone tell me what virus causes words to disassemble and the :->letters to randomly fall to the bottom of the screen? Falling Leaves (a very old virus, started as a joke program around 1989) - - Wolfgang ------------------------------ Date: Fri, 26 May 95 13:06:01 -0400 From: weissel@sun.ph-cip.uni-koeln.de (Wolfgang Weisselberg) Subject: Re: NAV 3.0 - FORM Killing me!!! (PC) Owen Gee (steve@vp-14.eushc.org) wrote: :->My system has the FORM virus resident in memory. :->Norton Anti-Virus 3.0 scans and finds the virus every time :->I boot the system and it will not stop. I've tried to by pass :->Norton and cannot for some reason. Norton halts the system before :->I can get to the c:> prompt and do anything. The right shift key (IF I remember right) will bypass config.sys and autoexec.bat, and NAV as well. :->Cannot boot from drive a: either. What must I do??? Set the bios to booting order a: c: instead c: a: - - Wolfgang ------------------------------ Date: Fri, 26 May 95 16:44:42 -0400 From: tsbtal@pipeline.com (Tal Kedem) Subject: Big problem with PS/2 (PC) I have a problem My PS/2 Port (which has my keyboard and mouse plugged in) is troubled and failing, what does this have to do with a virus you ask...2 other computers (my brother's, and his girlfriend's) are also having similar problems, both of thier computers have the keyboard in the PS/2 port and a mouse in the serial port (as opposed to my dual PS/2 port) I have f-prot 217 and mcaffe scan 220, I have detected no viruses, a) where can i get the newest version of f-prot (is there a newer?) b) Is this a virus? Thanks - -- - -The Smiling Bandit ------------------------------ Date: Fri, 26 May 95 16:58:50 -0400 From: bpb@ren.us.itd.umich.edu (Bruce Burrell) Subject: Re: Monkey Virus and NetBSD (PC) David S. Morgan (dsm@iti.org) wrote: > I have an interesting question, and I am not sure if it has been brought up. > We reciently detected the Monkey virus on our networked computers, and > we were wondering if a PC that was running NetBSD could get the monkey > virus? Any computer that a) has a hard drive b) allows writing to the Master Boot Record, and c) allows booting from a floppy drive can be infected by (Master) Boot Sector Infectors. Since Monkey is one, yes, a computer using an OS of NetBSD can get infected. While most boot sector infectors don't do any intentional damage, all bets are off with non-DOS operating systems. Since most partitions nowadays start at Cylinder 0, Head 1, most Master Boot Sector infectors probably won't corrupt the system area. FORM, though, infects the DOS Boot Record instead, and will probably make most non-DOS operating systems *very* unhappy. > And if so, how can one check and cure it? Put a reliable antivirus program on an uninfected DOS system diskette, lock it, and boot from it. Use the antivirus program to detect and remove the infection. Syntax will vary from product to product; KILLMONK will prompt you as you go; F-PROT requires invoking it with the /HARD and /DISINF switches. > E-mail is wonderful, as I do not look here that often. Done, as well as posting to comp.virus. -BPB ------------------------------ Date: Fri, 26 May 95 18:14:17 -0400 From: Iolo Davidson Subject: Monkey Virus and NetBSD (PC) dsm@iti.org "David S. Morgan" writes: > We reciently detected the Monkey virus on our networked computers, > and we were wondering if a PC that was running NetBSD > could get the monkey virus? Monkey (also called Stoned.Empire.Monkey or Empire.Monkey) infects the partition sector (also called MBR) on a PC hard disk. Viruses that do this do not care about the operating system. They work by subverting the BIOS, before the operating system is even loaded. Yes, a PC running something other than DOS can get infected by this kind of virus. > And if so, how can one check and cure it? Boot from a clean DOS floppy disk and run a DOS anti-virus. It probably won't be able to see files, but will be able to check the partition sector. It may be able to clean monkey, too. DON'T use FDISK /MBR. - -- LATHER WAS USED A 100 YEARS BY DANIEL BOONE TOO SOON HE LIVED Burma-Shave ------------------------------ Date: Sat, 27 May 95 13:13:01 -0400 From: vse@ac-copy.com (Guido Voerste) Subject: WET.B virus payload? (PC) Hello there. Last week I discovered a WET.B virus on a clients harddisk. At least that is what F-PROT 2.17 called it, SCAN220 just said 'unknown MBR virus', CPAV, as usual, didn=B4t detect it. However, none of those programs could get rid= of it, so I had to do it =B4by hand=B4. Further examination showed that the= virus lives in both the MBR an the DOS boot sector, so a simple FDISK/MBR yields nothing. FDISK as a whole doesn't work at all because the filesystemtype is altered to something like 0x01 0x04 0x03 ... etc. I git rid of this little bugger by booting from a clean MS-DOS Diskette and then using Norton Utilities` DISKTOOL, Option =B4Make Disk Bootable=B4 which does obviously= write both a new MBR and DOS boot sector. But one question stays: what has this rather unpleasant piece of programing as a payload? Anyone who knows? Thank You, Guido - -------------------------------------------------------------- voerste edv beratung email: vse@ac-copy.com Theaterstr. 22 fax: (49) 241 404876 52062 Aachen, Germany voice: (49) 241 404888 - -------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 61] *****************************************