VIRUS-L Digest Friday, 15 Sep 1995 Volume 8 : Issue 75 Today's Topics: New MS Word macro virus - Winword-Nuclear (PC/Mac) Virus Bulletin Conference in Boston 9/20-22 Re: Computer specific viruses... Re: Tunnelling viruses Re: Computer specific viruses... Re: Virus compatibility Re: Computer specific viruses... Re: ATTACK-TROJ (NT?) Monkey on NT. (NT) Re: ATTACK-TROJ (NT?) Worms "eating" screen: A Virus??? (PC) 'CrazyBoot' Virus (PC) ANTIEXE, FORM1 (PC) Re: Crosslinked files (PC) Re: Virus on WORDPERFECT 6.xx for Windows (PC) Re: AntiExe virus found in memory after power-off clean boot ??? (PC) Re: "Doom II Death" Virus? (PC) Re: *** Tequila & Beer Virus *** (PC) Re: Seeking information on Tai Pan (PC) Re: Help on "Die hard" (PC) Re: Newest Ver. of TBAV (PC) Re: Musicbug.newvar (PC) Re: antiexe virus (PC) Re: I am in a quandry about QRRY (ESSEX, QUERY) (PC) Re: Newbug / Form (PC) Re: Newbug virus (PC) Re: Are these virus symptoms? (PC) Re: Virus that causes writes to A: to be temporary?! (PC) Re: Trojans (PC) Possible Boot Sector Virus!! (PC) Re: Do I have a virus? (PC) Re: Form Virus in memory (PC) Re: JUNKIE (PC) Re: Newbug / Form (PC) Re: Form Virus in memory (PC) Re: Microsoft Anti-Virus Updates? (PC) Virus on "Blank" Diskettes? (PC) DIR 691 Virus??? (PC) Re: Tunnelling viruses (PC) Need help with this Virus!! Help Needed! (PC) Re: Distrust virus ? (PC) Problems with F-Prot (PC) Info Needed on Ripper Virus (PC) "Stoned Michaelangelo" ??? (PC) ANTIEXE and FORM1 (PC) programs that give protection against viruses and trojans (PC) Re: Form Virus in memory (PC) - Seeking Anti-Virus VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 14 Sep 95 18:01:23 +0100 From: Paul Ducklin Subject: New MS Word macro virus - Winword-Nuclear (PC/Mac) Another MS Word macro virus has appeared. It is known by a number of names, including Winword-Nuclear, Wordmacro-Nuclear and Wordmacro-Alert. Unfortunately, it was first spotted on the Internet in a publicly accessible area that has been used in the past for the uncontrolled distribution of viral code. Ironically (and, presumably, by malicious design) this new Word virus is attached to a Word document which gives information about a previous Word virus, Winword-Concept. OPERATION Infected files contain a macro which is usually run when the document is opened. This macro is not particularly noticeable (unlike the Winword-Concept virus, which alerts you by popping up a dialogoue box). Once actuated, the virus effectively "goes resident" by adding its infective macros into your Word environment. It also runs a macro called PayLoad, which wipes out your DOS system files (IO.SYS, MSDOS.SYS and COMMAND.COM) on the fifth of April. Now, the viral macros alter the usual behaviour of several Word functions. Any documented saved via the Save As... menu option will be infected; roughly every twelfth document printed will have two lines of text added at its end: And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC Also, next time you start up Word, the virus looks at the clock. If it is between 17h00 and 17h59 (or, as a comment in the virus suggests, "5PM - approx time before work is finished"), the virus attempts to inject a DOS file virus named "Ph33r" into your system. Lastly, the virus switches off the menu setting "Tools/Options/ Prompt to save NORMAL.DOT" every time you close a file. This means you are less likely to notice Word saving changes that the virus has made to your global environment, because the dialog box which warns you that this is about to happen no longer appears. DETECTION An infected Word environment will contain a number of curiously named macros, which you can check for in the Tools/Macro menu. Some of the obvious giveaway names to look for on a machine infected with Winword-Nuclear are: DropSuriv (this is the routine which tries to inject the DOS virus -- "suriv" is "virus" backwards) and InsertPayload (this adds the anti-nuclear remarks). [A more complete version of this document can be snarfed from http://www.sophos.com, or ftp://ftp.sophos.com/pub/wordnuke.txt There's detection update info for Sophos' SWEEP users in there, though you could probably use the info with other a-v products, if you really insisted on it :-)] PREVENTION The Word for Windows manual claims that if you hold down whilst double-clicking the Word icon in Program Manager, then Word will start up with file-related "auto-execute" macros disabled. This ought to inhibit the actuation of WinWord-Nuclear, which relies on this feature; it didn't work in our test setup. Starting up WinWord with the command line "WINWORD.EXE /m" is supposed to achieve a similar effect, but failed similarly. You can also hold down whilst opening a document to disable any automatic macros in that file, though this too failed during our trials. You might wish to use one of Word's auto-execute macros to your advantage. Under Tools/Macro, create a macro called AutoExec that looks like this: Sub MAIN DisableAutoMacros MsgBox "AutoMacros off!", "Safety First!", 64 End Sub This macro is triggered whenever Word starts (a serious potential hole!), and serves to disable the feature which WinWord-Nuclear uses to actuate. Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@sophos.com / / Sophos Plc + 21 The Quadrant + Abingdon OX14 3YS + England \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: Thu, 31 Aug 95 15:12:19 -0400 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Virus Bulletin Conference in Boston 9/20-22 As you may have gathered from the Subject, the highly-regarded Virus Bulletin International Conference will be held in the US for the first time. Ms. Petra Duffield, the conference organizer, has authorized me to post a summary of the details in these newsgroups; in the interests of getting the word out as quickly as possible, I haven't given her the opportunity to proof this. It *is* derived from the fax she sent me, so I hope it's all ok. I have set the Reply-to to her address so that you can contact her easily. I made an electronic version of the registration form; it's included at the end of this document. I tried to scan the fax she sent me and use OCR on it in order to make it available via ftp, but the results were awful. Hence I post a synopsis; I bear responsibility for any typing errors contained below. If you want more info, contact her to receive the fax. I hope some of you who didn't know about this, or didn't have full details before, will be able to make it. See you there! -BPB ========================================================================= What: VB'95 5th Annual Conference and Exhibition -- Tackling the Computer Virus Threat "VB'95 is designed to benefit everyone involved in system security. The programme comprises three parallel tracks of technical and non-technical presentations, as well as a table-top exhibition of security software and hardware solutions. Each of the 36 talks focuses on a contemporary issue (e.g., Windows NT and 95 vulnerability and virus distribution on the Internet) and delegates are free to move between sessions, matching the programme to their professional interests. Comprehensive notes on all presentations are contained in the conference proceedings. "The conference is complemented by a packed social programme, offering an excellent opportunity for informal discussion of the day's events with speakers, colleagues, and exhibitors." Who should attend: Data processing managers Security managers Office automation specialists LAN managers Security consultants IT strategists PC support staff When: September 20-22, 1995. Schedule: [Forgive me for not typing out full names and titles. -BPB] Wednesday, September 20 14:00-18:00 Vendor exhibitions 16:00-18:00 Intro to Computer Viruses lecture (Dr. Jan Hruska) ?? -?? Cocktail Reception Thursday, September 21 09:15 Addresses and presentations by Whalley, McAfee, Track I: Gordon, Ducklin, Hitchings, Lambert, Ames, Track II: Lettvin, Bulsara, Mostovoy, Coursen, Radatti, Gordon Track III: Veldman, Swimmer, Kaminski, Leitold, Muttik, Aubrey-Jones 17:30 End of conference sessions 19:30 Black tie (tuxedo) gala dinner and cabaret Friday, September 22 10:00 Track I: Robinson, TBA, Edwards, Dyer, Caric, White. Track II: Kinney, Grebert, Lamacka, Morar, Ford, Bates Track III: Zwienenberg, Coates, Riordan, Skulason, Gryaznov, Stang 16:30: Speaker's panel session 17:30 End of conference [My fax didn't define the tracks, or they were unreadable. I'm not guessing. :-) -BPB] Where it is: "The elegant Park Plaza Hotel is situated in the heart of Boston's Back Bay, adjacent to Boston Common and the Public Gardens" ... Preferential rates may still be available (they were guaranteed only until 8/23) at rates per night of $124 (single) and $140 (double). Reservations will be confirmed on space and rate availability. Call 1 (617) 457-2500. Information on alternative hotels: call the Greater Boston Convention and Visitors Bureau: 1 (617) 536-4100, fax 1 (617) 424-7664. Social Programme: "Throughout VB'95, you will have every opportunity to meet the industry experts and speakers at the conference. The conference social programme features a cocktail party on the evening of Wednesday 20 September and a spectacular black tie (tuxedo) gala dinner and cabaret on Thursday 21 September. Both the cocktail party and the gala dinner are included in the delegate registration fee. Tickets for accompanying partners can be booked..." See the registration form for details. Also there is a full day tour for partners on Thursday; I can barely read the fax, so ask Ms. Duffield if this interests you. Registration fee: See electronic form below Registration includes admission to all conference sessions and exhibitions, the conference proceedings, lunch and mid-session refreshments on both days, cocktail reception, and black tie (tuxedo) gala. If you are unable to attend: Copies of the proceedings are available for 50 pounds ($75 US) plus postage and packing. To order, please tick the box on the registration form. For more information, contact: Petra Duffield Virus Bulletin Conference 21 The Quadrant Abingdon OX14 3YS England Tel +44 1235 555139 Fax +44 1235 531889 Email pd@virusbtn.com =============== start of electronic registration form ===================== Name: Employer: Title: email: Telephone: Fax: Please register me for VB '95 __ Standard registration fee 595 pounds ($895 US) __ _Virus Bulletin_ subscribers' fee 545 pounds ($820 US) __ _bona fide_ educational and/or charitable org. 300 pounds ($450 US) __ Proceedings (included in registration fee) 50 pounds ($75 US) __ I enclose a cheque payable to _Virus Bulletin Ltd._ __ Please invoice my company quoting P.O. number __ ___________ Please charge my credit card VISA/MasterCard AMEX __ __ __ Card No. ____ ____ ____ ____ Card holder _________________________________________________ Billing address _____________________________________________ ______________________________________________________________ Signature _________________________________________________________ Expiry date ______ I plan to attend the conference with my partner __ Please book: place(s) at the conference cocktail reception on Wednesday 20 September __ @ 15 pounds ($22.50 US) each place(s) at the partners' programme tour on Thursday 21 September __ @ 45 pounds ($67.50 US) each place(s) at the gala dinner on Thursday 21 September @ 40 pounds __ ($60 US) each place(s) at lunch on Thursday 21 September @ 20 pounds ($30 US) each __ place(s) at lunch on Friday 22 September @ 20 pounds ($30 US) each __ Please indicate any special dietary or access requirements ____________ ________________________________________________________________________ I am interested in exhibiting at VB '95 __ Please send me subscription information and a free copy of_Virus __ Bulletin_ I understand and agree to abide by the terms and conditions set out in the conference programme. Signature Date ___________________________ _________ ================= end of electronic registration form ===================== ------------------------------ Date: Thu, 20 Jul 95 10:38:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Computer specific viruses... Kevin Marcus (datadec@cs.UCR.EDU) writes: > If my memory serves me right, the Cascade family (or at least the older > members thereof) have small routines which are only triggered if the code > is executing on a genuine IBM computer. Yes, but they don't work. Cascade.1701.A forgets to set properly the ES register and Cascade.1704.A is looking for a zero after the IBM string. :-) > I am wondering if there exist other viruses which specifically target some > brand of hardware or brand of computer? Which viruses make the list? > Which machines/hardware does their effect differ on? Hm. There are many viruses which are CPU-specific (for instance, the early Uruguay varaints work only on machines with a V20 CPU) or DOS-version specific, but computer brand-specific.... no, I don't recall any others. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 10:39:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Tunnelling viruses Peter Green (pgreen@continuum.ragroup.co.uk) writes: > Please can anybody tell me what a "tunnelling virus" is? A virus which bypasses the memory resident monitoring programs by finding the addresses of the original interrupt handlers (in DOS or BIOS) and calling them directly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 21 Jul 95 05:55:34 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Computer specific viruses... datadec@cs.UCR.EDU (Kevin Marcus) writes: >If my memory serves me right, the Cascade family (or at least the older >members thereof) have small routines which are only triggered if the code >is executing on a genuine IBM computer. eh...it has code which is supposed to do that, or in some cases quite the opposite, trigger on all machines but IBMs. However, this code is flawed and in many of the variants it will not work as intended. - -frisk ------------------------------ Date: Fri, 21 Jul 95 08:45:46 -0400 From: fc@all.net (Dr. Frederick B. Cohen) Subject: Re: Virus compatibility Robert A. Buchanan (Buchanan@tiac.net) said: > I have been told that a text file cannot contain a virus while an exe or > com which are executable programs can. ... Not correct. Some of the earliest viruses were in test files. See chapter 2 and 3 of "A Short Course on Computer Viruses" > From: walkerc@capitalnet.com (Chris Walker) > Subject: Virii: A simple > Why is it not possible for a virus to infect various forms of computers? It is possible, and it has been done - for examples, see chapters 1 and 2 of "A Short Course on Computer Viruses" > From: Darknight > Subject: Re: Virus Compatibility > az092@torfree.net (Vic Boss Paredes Jr.) wrote: > >Can an IBM virus for instance infect a UNIX or an Apple Machine? Or can a > >UNIX virus infect the other systems. The same question goes for the Mac... > > > Nope. Virii are completely processor dependant Not right - see Chapters 1 and 2 of "A Short Course on Computer Viruses" - --- - -> Read: "A Short Course on Computer Viruses" John Wiley and Sons, 1994 - ISBN 0-471-00768-4, 250 pages, $34.95 For details see "What's New" at URL: http://all.net - ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 ------------------------------ Date: Fri, 21 Jul 95 11:08:14 -0400 From: "David M. Chess" Subject: Re: Computer specific viruses... > From: datadec@cs.UCR.EDU (Kevin Marcus) > If my memory serves me right, the Cascade family (or at least the older > members thereof) have small routines which are only triggered if the code > is executing on a genuine IBM computer. (In fact, although they contain code that appears to be intended to have that sort of effect, in every member of the family that I've ever seen, the code has a bug, and the virus can't actually tell an IBM machine from a non-IBM one. They try to do it by looking at a string in the BIOS, but the code was either intended not to work, or never tested, as it contains a reasonably obvious assembler bug.) - - -- - David M. Chess / On the Net, High Integrity Computing Lab / *everyone* can hear you scream... IBM Watson Research ------------------------------ Date: Thu, 20 Jul 95 10:43:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ATTACK-TROJ (NT?) Craig Mason (cmas@gwl.com) writes: > We seem to have found a new virus called "attack troj" on > one of our NT servers. McAfee did not pick it up. It was > found by "sweep" - The name suggests that it is not a virus but a Trojan horse. In fact, I suspect that it is a false positive - call the producer of your anti-virus program and ask. > Has anyone had any experience with NT specific scanners, specifically > "Sweep for Windows NT?" I'm concerned about buying it, the only > option it seems to have is "-removef" - it only removes files > that are infected !! In fact, this is the most reliable way to remove viruses. > What about the makers of Sweep, Alternative Computer Technologies > out of Cincinnatti OH, USA? Any pluses or minuses? AFAIK, Sweep is produced by Sophos in the UK. I have never heard of the company you mentioned but they might be a distributor for Sophos in the USA. Otherwise, Sophos Sweep is one of the better scanners around, detection-wise. > I checked the FAQ and I dont see any specific info on NT viruses. There aren't any. > This may actually simply be a DOS virus (a DOS executable was infected) > living on our server. But to be honest I'd rather be safe. Or a false positive. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 14:21:48 -0400 From: "John C. Jansen" Subject: Monkey on NT. (NT) Hi all, We recently had the Monkey Vorus infect a FAT Partition of a NT workstation. We use NT Advanced Servers as the backbone of our file servers. Is there a danger of Monkey traveling into the NTAS Partition Tables? They are all formated with NTFS but since Monkey is a partition virus I don't think that matters. What anti-virus software is available for NTAS 3.1, 3.5 and 3.51? All comments greatly appreciated. John. ------------------------------ Date: Fri, 21 Jul 95 06:03:47 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: ATTACK-TROJ (NT?) cmas@gwl.com (Craig Mason) writes: >We seem to have found a new virus called "attack troj" It's NOT a virus. As the name indicates, it is a Trojan....whether this is the real thing or just a false alarm, is impossible to say without further information. >>"Sweep for Windows NT?" I'm concerned about buying it, the only >option it seems to have is "-removef" - it only removes files >that are infected !! YIKES! Sweep is not a bad scanner...the DOS version gets a very good detection rate on my machine...but as you noticed it does not have any file virus disinfection capability. >What about the makers of Sweep, Alternative Computer Technologies >out of Cincinnatti OH, USA? Any pluses or minuses? Uh, they are only a distributor...this is a British product... >I checked the FAQ and I dont see any specific info on NT viruses. There are none (yet). >This may actually simply be a DOS virus (a DOS executable was infected) You should check if this was a false alarm or not....but at least it is not a virus,and there was no "infection" as such. - -frisk ------------------------------ Date: Thu, 20 Jul 95 06:44:42 -0400 From: rwlade@gate.net (Bob Lade) Subject: Worms "eating" screen: A Virus??? (PC) I was at a client's home the other day and suddenly heard a "chomping" noise coming from his computer. I looked up at the screen and saw blue and purple "catapillar-like" bugs eating the graphics off of the screen. I'm not kidding! What the heck is going on? Is there a virus that does this? A screen saver I don't know about? Help will be appreciated. Please e-mail. TIA _____________________________________________________________ Bob Lade Internet Information Services rwlade@gate.net http://www.supernet.net/~rwlade/ ------------------------------ Date: Thu, 20 Jul 95 07:03:41 -0400 From: "J.Berg" Subject: 'CrazyBoot' Virus (PC) Someone in our work group has a floppy infected with the 'CrazyBoot' virus. We have, however, been unable to find an infected PC. This is worrying us somewhat. Can anyone help by e-mailing me technical information on this virus and/or how to detect/remove it. I would be most grateful. Thanks Jol. Berg Department of Engineering Materials University of Sheffield England. ------------------------------ Date: Thu, 20 Jul 95 10:20:08 -0400 From: golddave@haven.ios.com (David S. Goldstein) Subject: ANTIEXE, FORM1 (PC) We recently had several computer at my office infected with ANTIEXE and FORMA. We managed to remove these viruses from all but 1 of our machines. That machine has FORMA in the MBR and partition. We are trying to avoid reformating the hard drive. Is there any other way to get rid of it? Also, can somebody explain in simple terms what each of these viruses do? Thanks in advance, Dave golddave@haven.ios.com ------------------------------ Date: Thu, 20 Jul 95 10:37:01 -0400 From: ekupr@soho.ios.com (edwin kuprienko) Subject: Re: Crosslinked files (PC) Cross linked files may be caused also by power surge or hardware/software incompatibility. I had old 386 that was cross linking files using standard IDE controller. I installed IDE card with onboard BIOS and it works perfect now. In your case turning of the system when application is writing to HD is very likely to cause problems. Additionally your second FAT partition record may be damaged in this way. The easiest way to fix it is to use Norton Disk Doctor - it is the best I know to repair software problems. PC tools also has similar utilities. chkdsk /f should fix cross linked files and the new scandisk is supposedly capable too. However as NDD does perfect job I just stick to what works for me. Cheers, Edwin Erich Roider (ewroider@delphi.com) wrote: : : I' a service tech for a medical equipment company and I have : run into this before. This typically happens when the system : is powered down in the middle of a program. What happens is : that files are left open. This can cause problems with hard : disk space getting used up or when the system is used again the : hard disk starts to write over the still open (what the hard : drive sees) files. : : The only way I know to fix this problem is to reformat the hard : disk. : : If you have any other way to repair this please let me know. : : ewroider - -- _________________________________________________________ Whatever goes up has to go down. Whatever goes down, will very likely stay this way. _________________________________________________________ ekupr@soho.ios.com _________________________________________________________ ------------------------------ Date: Thu, 20 Jul 95 11:29:32 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus on WORDPERFECT 6.xx for Windows (PC) Shay Elazar (shay@ankh.iia.org) writes: > Is there a new virus on WORDPERFECT for WINDOWS ??? No. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 11:21:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: AntiExe virus found in memory after power-off clean boot ??? (PC) Michael Ramey (mramey@u.washington.edu) writes: > After I do a power-off/on boot from a clean write-protected diskette, and > run F-Prot 2.18a from another clean w-p diskette, F-Prot says the AntiExe > virus has been found in memory and I should do a clean boot (which I just > did). The only explanation I see is that either the floppy is not clean or your machine is not booting from it. Probably the former. > The machine *is* booting from the floppy, judging from the SET > information (PATH, etc). The BIOS is (I believe) and AMI-BIOS (I forgot > to write it down), and it contains 2 items which I found curious (from > memory): > Locate floppy on boot = DISABLED (name me be garbled) > Boot Sector Protection = ENABLED (---"---) At boot time, enter the CMOS configuration program (usually by pressing Del) and check that it says that there is an A: drive installed. Some viruses (not AntiEXE however) change this in order to force the BIOS to boot from the (infected) hard disk. > the F-Prot description of AntiExe did not describe any damage from this > virus, we will attempt to clean the computer and all his diskettes then. It doesn't do any intentional permanent damage. > Is FDISK/MBR safe for AntiExe? Yes - if it is indeed AntiEXE. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 11:21:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: "Doom II Death" Virus? (PC) Joseph R.M. Zbiciak (im14u2c@millenium.texas.net) writes: > It appears to be some sort of vigilante virus that seeks out the illegal > release of Doom II. No, it doesn't. These strings in it are not used for anything. It just replicates; it doesn't seek anything. > I was unable to find any references to DOOM ][ or DOOM in general in a couple > different virus databases. Look also for Tai-Pan.666. > Is this a for-real virus, and is it well known? Yes. > Also, what programs might > clean this infection? F-PROT, AVP, and probably several others. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 11:30:57 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: *** Tequila & Beer Virus *** (PC) Gareth Challis (garethc@unipalm.pipex.com) writes: > Anyone seen the TEQUILA & BEER virus ? (Sounds like quite a mix !) Yes; it is called just Tequila and is in the wild. > I know there is a TEQUILA virus, which affects COM files. Nope; it infects the MBR and EXE files only. > If you've seen it or know anything about it, I would appreciate a little > info ! It's described in our Computer Virus Catalog. Check the FAQ of this newsgroup for information how to get the CVC. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 10:46:09 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Seeking information on Tai Pan (PC) BLambdin@aol.com (BLambdin@aol.com) writes: > There are two variants of Taipan that I am aware of. > > Taipan.438 is a resident infector of .EXE files. The infected files grow by [snip] > Taipan.666 is a larger variant. It contains the following text. "DOOM2.EXE There is also a third variant - Tai-Pan.434. > I don't have any first hand info on Maaike.250. Dr. Solomon's Virus > Encyclopedia reports "Maaike.250 is a 250 byte non resident,encrypted > companion infector" Well, yes, that's about everything one can say about it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 12:21:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help on "Die hard" (PC) Wei Fu (weifu@larry.rice.edu) writes: > Hi, my PCs have recently been infected with a virus called "Died hard". > I found out by running shareware version of f-prot, but the software couldn't > killed the viirus itself. I wonder if anyoen know how to rid of virus beside > just simply delete all the infected the files. Thx in advance! Try AVP: ftp://ftp.informatik.uni-hamburg.de/pub/virus/progs/avp/avp21.zip It can remove this virus. The virus is also stealth, so you can remove it by executing an infected file, copying all executable files to files with non-executable extensions, deleting the originals, booting from a clean floppy and renaming the files back. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 10:52:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Newest Ver. of TBAV (PC) Dawgcatcha (dawgcatcha@aol.com) writes: > Does anyone know where I can find the newest version > of Thunder Byte Anti-Virus? Thanks. The latest version usually appears first on ftp://dutiws.twi.tudelft.nl/pub/msdos/virus/tbav/ Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 11:21:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Musicbug.newvar (PC) Tony Jeffery (t-jeffery@adfa.oz.au) writes: > Anybody out there heard of a virus called "MUSICBUG.NEWVAR" which has infected > the boot sector and some executables. > Found with McAfee v2.20 but unable to be cleaned. The Music_Bug virus is a boot sector infector and does not infect files. You probably have a false positive. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 11:32:55 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: antiexe virus (PC) Tim J Bohlmann (tim@unixg.ubc.ca) writes: > Hi folks, could someone out there tell me about the antiexe virus? Seems It's described in CARObase. You can get CARObase from ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/carobase.zip > as though I've been infected - how do I get rid of it? Mcfee won't let me > do anything with it unless it's on the hardrive and it won't let me put > it on the hardrive unless it's free of viruses. Get a better anti-virus program, then. For instance, F-PROT can remove it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 10:54:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: I am in a quandry about QRRY (ESSEX, QUERY) (PC) Rym MacDonald (TheRymage@SSB.TheLab.com) writes: > I have recently found QRRY on a network PC at my company. The latest > release of F-PROT (March 1995) sees it but makes no attempt to remove > it. The latest version of F-PROT - 2.18a - can remove it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 11:35:36 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Newbug / Form (PC) Elliott, Scot (Scot.Elliott@gtplc.com) writes: > Does anyone have any info. on Form and Newbug - these keep appearing Form is described in our Computer Virus Catalog - the FAQ will tell you how to get it. Newbug is probably AntiEXE - it is described in CARObase. Check another message of mine in this newsgroup for information how to get CARObase. > on people's disks and HDDs around the office. They cannot get onto > the LAN due to the server's NLM, but it is still quite concerning. No, the virus can't get to the server not because of the NLM but because it is a boot sector infector. Pure boot sector viruses (i.e., ones that can't infect files as well) cannot spread across a LAN because the LAN does not provide sector-level access to the server. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 11:21:15 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Newbug virus (PC) John Lasschuit (j.lasschuit@aranea.nl) writes: > we found with Microsfot AV a virus called Newbug in memory of our PC's. The I think that this is how some scanners call the AntiEXE virus, but might be wrong - MSAV is a horribly bad program, crashes every time I try to test it, and uses a weird virus naming convention. I suggest that you use something else that can identify the virus better - like F-PROT or AVP. > effect of the virus was that Windows 3.11 was unable to load the 32bit Disk > Access driver (WDCTRL). Many boot sector viruses cause this effect - it is not specific for this particular virus. > In the virus list however, this virus isn't mentioned. Because it's called > Newbug, and only was found with MS AV, not wih Thunderbyte, I suspect that > this isn't a virus but a in MS Windows 32bit drivers. No, it's in the MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 10:51:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Are these virus symptoms? (PC) odd (o.) sandbekkhaug (sandbekk@bnr.ca) writes: > 1. I get the error message > ' write protect error on drive a:' > when I pipe anything through the 'more' filter. The disk _is_ write > protected, but why should 'more' try to write to it in the first place? It's not 'more' that writes; it's COMMAND.COM. Each time you use a pipe, the command interpreter creates two temporary files. In DOS version 5.0 and above these files are created in the directory listed in the TEMP (or was it TMP?) variable of the environment. Otherwise (i.e., under other DOS versions or if you don't have this variable defined), the files are created in the current drive/directory. You probably have your write-protected floppy in your current drive - this would explain the effect you are observing. Since it is unlikely that you have an old DOS version, the easiest solution to your problem is to define a TEMP variable pointing to some writable place - ideally, a RAM disk. > 2. I've noticed that some items are disappearing from my windows 3.1 program > groups. Either someone's playing a trick on me, or... This is an unrelated problem which is probably caused by some misconfiguration. > Have anyone else seen these symptoms? My virus scan utilities are rather > old, and they came up with nothing. There quite probably isn't a virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 20 Jul 95 14:26:26 -0400 From: dmuth@oasis.ot.com (Doug Muth) Subject: Re: Virus that causes writes to A: to be temporary?! (PC) Noam Weinstein writes: : While using a friend's computer yesterday, I discovered : that copying or altering files on the A: 1.44 drive yielded : temporarily perfect results, but after removing the disk : and putting it back in, the contents were fully reverted : to their original condition! : I tried this with a number of disks and a number of procedures, : only to find that in each case, any alterations made to the : disk content lasted only so long as the disk was in the drive -- : once it was taken out and replaced, not only the FAT but the : actual content of the files was returned to the previous condition. : (Only is happening with the 1.44 drive, not the 1.2 or the hard drive) : Does anybody have any idea why a disk drive would not be permanently : updating the contents of a disk? Does it sound like something : a virus could do? Hmm..have you tried running of viewing any of these new files that were supposedly copied to the floppy? : I did notice that when putting the disk back in, when I do : a "DIR", it pauses for longer than I'm used to such a drive pausing -- : but it's not just a broken 'DIR' command -- I even took the disk : to another machine and the contents had not been changed. You might want to see if you are using disk caching software and if write caching is turned on. Perhaps the data is not yet written to disk and when you do a DIR, the filenames are read from RAM and not from the disk. Regards, - -- - --\/----------------> Doug Muth <--> dmuth@ot.com <--------------------\ || "Privacy is a basic human right, not a government granted privilege!" | \/-------> Finger dmuth@oasis.ot.com for PGP public key. <-------------/ ------------------------------ Date: Thu, 20 Jul 95 14:26:22 -0400 From: dmuth@oasis.ot.com (Doug Muth) Subject: Re: Trojans (PC) DNA the Mysterious writes: : This person I know is creating a lot of trojans using *.exe and *.com : creators. These files usually utilize the delete, deltree, and format : commands to do damage. Can Scan detect these? I'm rather worried that I : may get it. Thanks. Well, if it is so simple that is actually calls other programs rather than implementing its own code, then you can easily defend yourself by renaming the files. Regards, - -- - --\/----------------> Doug Muth <--> dmuth@ot.com <--------------------\ || "Privacy is a basic human right, not a government granted privilege!" | \/-------> Finger dmuth@oasis.ot.com for PGP public key. <-------------/ ------------------------------ Date: Thu, 20 Jul 95 20:35:10 -0400 From: Samuel Twum Subject: Possible Boot Sector Virus!! (PC) I wonder if anyone can help me. I have been having the subject message come up on my system during bootstrap time at least once every two weeks. However anytime I run a virus checker, it does not seem to report any boot sector viruses on the system. I use Mcafee Winscan Ver 2. Is there any checker I can download on the net that might possibly detect this virus - (if I have one!!) Thanks all, Samuel e-mail samuel@twum.demon.co.uk ------------------------------ Date: Thu, 20 Jul 95 20:13:09 -0400 From: jmccarty@spdmail.spd.dsccc.com (Mike McCarty) Subject: Re: Do I have a virus? (PC) wrote: )Recently I ran the Windows Antivirus and almost all my checksum had changed )although the program told me I had no virus in the computer. However, I )noticed a strange directory that I had not noticed before. The name was )GROZZZ and it contained the following files: I suspect that Windows Antivirus is no better than MSAV, which is completely useless. I have been experimenting with viruses for about 3 years, and have copies of Michaelangelo, FormA, and several others on my hard disc. MSAV can find none of them. I suggest you try booting from a known clean, write protected floppy and running F-PROT (wonderful program, THANKS FRIDRIK!) to look for viruses. Be sure to power down to do your reboot, not CTRL-ALT-DEL. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 20 Jul 95 20:08:26 -0400 From: jmccarty@spdmail.spd.dsccc.com (Mike McCarty) Subject: Re: Form Virus in memory (PC) Katie McCann wrote: )After several strange things started happening to my computer, I just )discovered that I've got the Form Virus in my memory. I've got Norton )Anti-Virus, which ran, said the virus )was in the memory, and said that the computer was halted, and to boot it )from the write-protected Rescue Disk. I'm assuming that's something that Norton's utilities CREATE that diskette for you, on command. But you have to do it BEFORE being infected. )the virus, I noticed that my computer said I had only about 3.7 megs of )RAM rather than 4. Is this damage permanent? ANd how can it be undone? No, there is no "damage" to your memory. )I'm pretty cluless aobut the whole virus thing, so any help will be )greatly appreciated. Thank you, )katie Well, viruses are a little scary to non-technical people when they first encounter them. Form can be cleaned by nearly any anti-virus package these days. Go to a machine which is known to be uninfected. Format a floppy with the /s parameter to make it bootable. Put a reasonable scanner on it. Write protect this floppy. Take the floppy to your infected machine. Put it in the A: drive, and turn the machine off, then on. Allow it to boot from the floppy. Now run your scanner. If it detects FORM, then it should be able to disinfect it also. Need more help? E-mail me and I'll be glad to. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Thu, 20 Jul 95 19:54:16 -0400 From: pitway@cix.compulink.co.uk ("Tim Hetherington") Subject: Re: JUNKIE (PC) > Computer infected with Junkie and/or junkie.boot virus. What > proceedures are required to remove and clean. Does not appear to stop > processing (486 dx-66, CDROM) but as Windows is loaded message from > McPhee warns that 32 bit driver can not be loaded. > > ADVISE. > Sorry to here about junkie An up to date virus killer (F-prot in my case) will successfully remove said virus. Get a copy on a KNOWN clean boot floppy disk run the s/ware and it should just clear it out with no problems. Make sure you check *every* floppy disk you have that may have been used in your computer as well to make sure that it is not hanging about or you will be sure to reinfect your PC. Hope this helps Tim.... ------------------------------ Date: Thu, 20 Jul 95 19:54:19 -0400 From: pitway@cix.compulink.co.uk ("Tim Hetherington") Subject: Re: Newbug / Form (PC) > Does anyone have any info. on Form and Newbug - these keep > appearing on people's disks and HDDs around the office. They > cannot get onto the LAN due to the server's NLM, but it is still > quite concerning. I can't speak for newbug as I don't know it but *form* is almost certainly re-infecting the PC's from people using infected Diskettes, they will have to check *every* diskette in the area, It only takes one infected disk and your back to square one!! (I know!!) it pops up regularly an my machines. The problem is getting everyone to declare the disks!! Hope this is of help Cheers Tim.. ------------------------------ Date: Thu, 20 Jul 95 19:54:13 -0400 From: pitway@cix.compulink.co.uk ("Tim Hetherington") Subject: Re: Form Virus in memory (PC) > After several strange things started happening to my computer, I just > discovered that I've got the Form Virus in my memory. I've got Norton > Anti-Virus, which ran, said the virus > was in the memory, and said that the computer was halted, and to boot > it from the write-protected Rescue Disk. I'm assuming that's something > that came with NAV, but I've lost the box, and so I don't have it. So > I'm assuming Ineed to go out and buy another copy. BUt what I'm > worried most about is the memory. Becuase prior to discovering that I > had the virus, I noticed that my computer said I had only about 3.7 > megs of RAM rather than 4. Is this damage permanent? ANd how can it > be undone? I'm pretty cluless aobut the whole virus thing, so any help > will be greatly appreciated. Thank you, > katie No special disk. What they are trying to say is , boot up with a *known* clean disk Take a Boot floppy and boot up from that then the virus will not be lodged in memory then run NAV and it will clear it out with no problem at all. Remember to check any Floppy disk that may have been use in your system in recent weeks (preferably all!!) then you should not re-infect yourself Also if you have one about run a virus guard TSR at boot up that should trap an attempt to re-infect. Cheers Tim ------------------------------ Date: Thu, 20 Jul 95 16:25:36 -0400 From: cjspear@ix.netcom.com (Christopher Spear) Subject: Re: Microsoft Anti-Virus Updates? (PC) lilyweb@aol.com(LilyWeb) writes: > >Does anyone know where I can get updates to the Microsoft anti-virus which >is included in the Windows software? I have heard that it is a free >service from Microsoft, but I cannot find it on there homepage. > >Also, are there any other virus programs out there that are inexpensive >yet effective? > I haven't been able to locate MSAV updates on the Microsoft ftp or www sites either. MS DOS documentation states that updates for virus signatures are available from a BBS (503-531-8100). Microsoft says that these signature updates allow you to detect new viruses, but not clean them. If you want a fully enabled update they want you to send them $9.95. I have been able to download virus signature updates from ftp.symantec.com (these appear to be the same files as the BBS--look for DOSAV.EXE and WINAV.EXE). I called Microsoft and they referred me to Central Point Software (MSAV is licensed from CPS). Central Point's number is 1-800-333-0744. You can call them for more information. Regards, Chris - -- Christopher J. Spear ==============================================> Truth, Family * Community, Vision ------------------------------ Date: Thu, 20 Jul 95 23:52:34 -0400 From: gholder@emory.edu (Gary Holder) Subject: Virus on "Blank" Diskettes? (PC) In my style of computing, I was never terribly concerned about viruses. However, I spoke to a woman this week who said that a virus had been detected at her office on several out of a box of 25 generic 3.5" preformatted disks. Sorry, I forget which virus she mentioned. Anyway, is this old hat or a new threat? Or, is it more likely that since they didn't start scanning disks in this office until several machines where infected that these "blanks" were infected from another source in this office? Do you conservative folks format all of your blanks yourself? Gary Holder ------------------------------ Date: Fri, 21 Jul 95 03:08:02 -0400 From: jmalanca@csulb.edu (Jeffrey Malanca) Subject: DIR 691 Virus??? (PC) McAfee found remnants of the virus DIR 691 in my computers memory. I scanned a second time and it was gone without me having cleaned it. If anyone has had any experience or problems with this virus please let me know. Thanks Jeff (jmalanca@beach.csulb.edu) ------------------------------ Date: Fri, 21 Jul 95 03:10:31 -0400 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Tunnelling viruses (PC) Peter Green wrote: >Please can anybody tell me what a "tunnelling virus" is? Tunnelling is a process by which a program obtains the "original" interrupt handler for a given interrupt. For example, lets say you turn on your computer. the BIOS in your computer immediately will controll INT 13h, which is disk services. However, after you boot up, let's say you run some program which hooks int 13h. An example of a program that probably does this would be Norton's Diskreet (although it might actually do it at a slightly higher level; I have never checked). Now, when a program gets around to calling int 13h, first diskreet does whatever it wants to do with the parameters passed in (such as which sector to read/write), and then it passes the same values on to the bios. Tunelling would allow for a program to pass by diskreet at hit the first handler (the BIOS), without paying any attention to diskreet by calling the address which has the original handler. A tunelling virus is a virus which uses this technique to bypass whatever software might have been installed on a system, often beyond the OS and/or BIOS - -- Kevin Marcus: http://cs.ucr.edu/~datadec CS Dept, U/CA, Riverside: datadec@cs.ucr.edu Virus-L archives: ftp://cs.ucr.edu/pub/virus-l ------------------------------ Date: Fri, 21 Jul 95 04:59:15 -0400 From: dickstien@aol.com (DICKSTIEN) Subject: Need help with this Virus!! Help Needed! (PC) Hi, I have somehow gotten a virus on my TI4000M laptop. It's a MBR virus. I've used fdisk to delete the partition but everytime I try to create a new partition It reboot's the comp and the partition has vanished. Fdisk confirms that, for some reason the partition is either deleted or not created. Could some 1 help me? This laptop is only about 5 days old and is still under warranty, but I would like to keep it, seen as how this is the last one and can't be exchanged. I've tried using Norton disk doctor 8.0 and it alerts me to the problem and asks me if i want it fixed, but like fdisk it does nothing. One time I somehow created a partition and formated drive c: and (thinking I've somehow solved the prob.) started copying dos to drive c:. but about 2 hours later the boot record again somehow vanished. I'have tried mcafee and f-prot but neither can access drive c: to scan it. Please help, If this problem can't be fixed I will be forced to take it back. You can reply here or at dagster@foley.ripco.com Thanx for any helpful replies! ------------------------------ Date: Fri, 21 Jul 95 06:07:19 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Distrust virus ? (PC) dekel@actcom.co.il (L. Dekel) writes: >in an original sealed util (an IBM util for multi-lang support from about >'90). In that case I think you can be pretty sure this is a false alarm....I think this virus dates from 1993. Try running a different scanner.... - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Fri, 21 Jul 95 06:39:31 -0400 From: grk2237@is2.nyu.edu (Glenn R. Kurtzrock) Subject: Problems with F-Prot (PC) Hello there, maybe someone can help me... I have been having a lot of trouble getting F-Prot to run on my system. I've gotten 6 or 7 different copies of it from 4 different FTP sites, from version 2.14 to 2.18a, and every single one has the same problem, when I try to unzip it I getan error in the sign.def file which says that it has 0 bytes and now F-Prot won't run. Any suggestions? - -- Glenn Kurtzrock | grk2237@is2.nyu.edu | NYU 1995 | Rutgers-Newark 1L2B HEY! NEW HOME PAGE ---> http://www.cascade.net/~sunspot Sigma Phi Epsilon New York Gamma CR#659 GC#197,507 V D BL Since 11/1/01! ...oOMcDcMOo... ------------------------------ Date: Fri, 21 Jul 95 07:32:07 -0400 From: RALawhern@smtpgate.read.tasc.com (Richard A. Lawhern) Subject: Info Needed on Ripper Virus (PC) Red, Here is my posting. Everything in " " please post. Thanks for your help. One of my network users has asked me to locate information on the "Ripper" virus. We believe that it can be found by McAfee Anti-Virus and that it is a boot/MBR virus. We'd like to know what, if any, damage it can do, what triggers it, and is it common? Both of us travel a fair amount and cannot check USENET every day. In addition to any USENET postings, we would appreciate a direct email response by email to: Mark Johnson, MMJOHNSON@TASC.COM Red Lawhern, LAWHERN@TASC.COM ------------------------------ Date: Fri, 21 Jul 95 10:24:47 -0400 From: vcurtis@relay.nswc.navy.mil (vcurtis) Subject: "Stoned Michaelangelo" ??? (PC) Has anyone heard of a virus called "Stoned Michaelangelo"? It is supposed to make it look like you have a defective floppy drive. I have a friend that has replaced 3 floppy drives now and was told about the possibility of this virus. I'm curious about virus's that might affect floppy drives too, as I am have a lot of problems. I have run every virus scanner I can find, including the latest Fprot. In FProt's virus list I don't find any reference to this particular virus. Any info, anyone? I did contract the "B1" virus a couple of months ago, and Fprot was the only virus scanner that caught it. Thanks. VA ------------------------------ Date: Fri, 21 Jul 95 10:53:13 -0400 From: golddave@haven.ios.com (David S. Goldstein) Subject: ANTIEXE and FORM1 (PC) Recently we have had several computers infected with ANTIEXE. I succesfully removed it but I'm curious as to what it does. Can anyone explain in layman's terms what ANTIEXE does? We also have one machine infected with FORM1. It has infected the MBR. Is there any way of getting rid of this without reformatting? Also, can anyone explain in layman's terms what ANTIEXE does? Thanks, Dave golddave@haven.ios.com http://haven.ios.com/~golddave/home.html ------------------------------ Date: Thu, 20 Jul 95 12:41:18 -0400 From: David Gutierrez Subject: programs that give protection against viruses and trojans (PC) Hi, I just wanted to know what shareware program(s) give protection against viruses and trojans. Please tell me also where I can find it if there is any. Thank you to anyone who responds to this message. --David Gutierrez ------------------------------ Date: Thu, 20 Jul 95 17:10:06 -0400 From: Joanna Wolfe Subject: Re: Form Virus in memory (PC) - Seeking Anti-Virus kmccann@mail2.sas.upenn.edu (Katie McCann) wrote: >After several strange things started happening to my computer, I just >discovered that I've got the Form Virus in my memory. I've got Norton >Anti-Virus, which ran, said the virus >was in the memory, and said that the computer was halted, and to boot it >from the write-protected Rescue Disk. I'm assuming that's something that >came with NAV, but I've lost the box, and so I don't have it. So I'm >assuming Ineed to go out and buy another copy. BUt what I'm worried most >about is the memory. Becuase prior to discovering that I had >the virus, I noticed that my computer said I had only about 3.7 megs of >RAM rather than 4. Is this damage permanent? ANd how can it be undone? We are looking for the free-ware anti-virus program called F-PROT this is supposed to kill the virus. Supposedly, it is available via compuserve. Does anyone know of an FTP site that might have this? It would be mucho appreciated, it's popping up more and more here. Joanna Wolfe Technical Support Manager Oxford University Press. wolfe@oup-usa.org ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 75] *****************************************