VIRUS-L Digest Sunday, 21 Jan 1996 Volume 9 : Issue 4 Today's Topics: virus damage to companies Smile ? Re: The FAQ's and nothin' but.. Re: E-MAIL Viruses. Re: Are there any virus on Unix? (UNIX) Re: Word Macro Prank Virus (Concept) (WIN,MAC) Re: Microsoft Macro Virus Protection Tool (WIN,MAC?) Re: Word Macro Prank Virus (Concept) (WIN,MAC) Re: a good Anti-Virus for Win95? (WIN95) Windows95 Virus Scanner (WIN95) Re: Virus checking in Win95 ?? (WIN95) Re: a good Anti-Virus for Win95? (WIN95) Duck icon appears... (WIN) Re: Quality Anti-Virus Programs (PC) RE: midnight crasher virus (PC) Re: Mutagen Virus found on CD (PC) Re: Mutagen Virus found on CD (PC) Re: FORM.A (PC) Virus WINDEL (PC) Re: FORM.A (PC) F-PROT: Request for Help (PC) stoned.empire.monkey.B 'post-disinfection' problems??? (PC) Re: Virus Database (PC) Invircible (PC) Re: F-Prot shareware version status? (PC) Re: Quality Anti-Virus Programs (PC) ILOVE (PC) Re: Virus Database (PC) Re: Sampo (PC) Re: midnight crasher virus? (PC) Re: F-Prot shareware version status? (PC) Re: Fwd: Request for Virus Info (PC) Re: HOw to kill Quox (PC) Re: FORM.A (PC) Re: Prometeus (PC) DH2 Virus Electronic Mail Attachments and Viruses? Re: Are there any virus on Unix? (UNIX) Re: Quality Anti-Virus Programs (PC) Word.Concept FREEWARE Cleaner Re: E-MAIL Viruses. Re: 1747 - virus? (OS/2) Re: Nines Virus (PC) Re: Form Virus in memory (PC) Re: HELP: Problem with NAV's Updateme.exe (PC) re: Free (or cheap) protection programs for DOS or WINDOWS? (PC) Looking for Israel product (PC) Re: Virus:MONKEY_B + FORM_A (PC) Re: Quality Anti-Virus Programs (PC) anti-cmos.a (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CS.UCR.EDU. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 17 Jan 1996 10:18:31 -0500 (EST) From: Roy <100451.2341@compuserve.com> Subject: virus damage to companies X-Digest: Volume 9 : Issue 4 I'm looking for information on damage, which has been caused to companies by computer viruses. Individual statements are welcome, but as well I'm looking for some statistical summaries, if they exist. thanks... ROY +----------------------------------------------------+ | 100451.2341@compuserve.com | | http://ourworld.compuserve.com/homepages/hroy | +----------------------------------------------------+ ------------------------------ Date: Wed, 17 Jan 1996 14:01:16 -0500 (EST) From: Vince Subject: Smile ? X-Digest: Volume 9 : Issue 4 I have a Smile virus on my machine that make nothing bad for now except laughing in the speaker some time. Do you have any ideas to kill him ? TIA, Vince [Moderator's note: Questions posed this way are often next to unanswerable. If popular, current scanners identify a virus but do not disinfect it or give a good description of what it does, then odds-on it's a fairly new virus. With "new" viruses there is even less agreement than usual amongst the different AV producers as to naming, so at the least report where in the world you are, what version of what scanners you've used and any other identifying information about the virus. Better yet, read the FAQ for this list/group -before- posting such requests, as Q&A F4 is written just for you! 8-) ] ------------------------------ Date: Thu, 18 Jan 1996 11:36:10 -0500 (EST) From: David Harley Subject: Re: The FAQ's and nothin' but.. X-Digest: Volume 9 : Issue 4 David H. Slack (slack@hpbs3165.boi.hp.com) wrote: : This is more directed to all thoses inquires about virus scanners : but also about viruses in general. : I recall that there is a FAQ, in fact I believe there are 2 or 3 of them, : on viruses. Right off I don't have a copy of them myself. If possible : could someone send in a copy to the list. I know I have one at home : and its most likely available at rtft.mit.edu in Usenet. Presumably you know about both flavours of Virus-L FAQ. There is a long four-part FAQ for alt.comp.virus (no, it doesn't include out and out VX material) which is still bedding down, and firm arrangements for making it available for the Web or by anonFTP or Usenet have not been made to date. For the moment I'm posting it to a.c.v. by hand, or mailing it to anyone who asks for it by sending mail to: harley@icrf.icnet.uk subject: request a.c.v. FAQ You can also get it from America Online: Keyword VIRUS (or Virus Information Center, Keyword VIRUS). The Virus-L and a.c.v. FAQs have some common ground, not unnaturally, and some common contributors, but has some material (such as a section on the legal implications) which I don't think are in the Virus-L FAQ. I'm recommending that people use both FAQs as complementary resources, though Nick may feel differently. B-) David Harley [Moderator's note: There have been a few suggestions the Virus-L/ comp.virus FAQ should cover some of the social, ethical and legal issues of virus writing and distribution, but to date no-one has provided material for this...] ------------------------------ Date: Thu, 18 Jan 1996 12:22:35 -0500 (EST) From: David Harley Subject: Re: E-MAIL Viruses. X-Digest: Volume 9 : Issue 4 Arif, Rahan (rarif@chiaolink.dcmdc.dla.mil) wrote: : I need some info on any e-mail viruses to be aware of. So far, I was : warned of AOL Gold, and Goodtimes, neither one really had any effect. AOLGOLD is a trojan, rather than a virus. It was distributed in a file called AOLGOLD.ZIP. When the INSTALL.EXE program contained in that archive file is run, files on drive C are deleted. Full details were distributed in a CIAC bulletin Number G-03 of Nov. 16th, 1995. You can get a copy from: World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) The Good Times virus is a hoax. The claim is that there is a virus which is distributed by an E-mail message with the title "Good Times" in the Subject: field which, if read, trashes your hard disk and/or burns out your CPU by launching it into an nth-complexity binary loop. You can get a copy of Les Jones' FAQ on the Good Times Hoax from: Via FTP: ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt ftp://members.aol.com/macfaq/good-times-virus-hoax-faq.txt On the World Wide Web: http://www.tcp.co.uk/tcp/good-times/index.html http://www.singnet.com.sg/staff/lorna/Virus (Note: the V must be capitalized.) http://www.nsm.smcm.edu/News/GTHoax.html There's a Mini-FAQ available as: ftp://usit.net/pub/lesjones/Good-Times-Virus-Hoax-Mini-FAQ.txt There *is* at least one file virus christened Good Times by the individual who posted it in an attempt to cause confusion. It is more commonly referred to as GT-spoof." >From the alt.comp.virus FAQ (blushes becomingly....) on the general subject of E-mail viruses. There is, unfortunately, a lot more to say on this.... - --- quoted text begins ------- Any file virus can be transmitted as an E-mail attachment. However, the virus code has to be executed before it actually infects. Sensibly configured mailers don't usually allow this by default and without prompting. There's room for a lot of discussion here. The jury is still out on web browsers: Netscape can certainly be set up to do things I don't approve of..... [Apparently cc:mail can launch attachments straight into AMIPro. Any other known nasties?] The term 'ANSI bomb' usually refers to a mail message or other text file that takes advantage of an enhancement ;-) to the MS-DOS ANSI.SYS driver which allows keys to be redefined with an escape sequence, in this case to echo some potentially destructive command to the console. In fact, few systems nowadays run programs which need ANSI terminal emulation to run, and there's no guarantee that the program reading the file would pass such an escape sequence unfiltered to the console anyway. There are plenty of PD or shareware alternatives to ANSI.SYS that don't support keyboard redefinition, or allow it to be turned off. The term mail bomb is usually applied to the intentional bombardment of an e-mail address with multiple copies of a (frequently abusive) message, rather than to the above. See SimTel/keyboard on sites carrying a SimTel mirror. - -- quoted text ends ------- David Harley ------------------------------ Date: Thu, 18 Jan 1996 08:56:37 -0500 (EST) From: Graham Cluley Subject: Re: Are there any virus on Unix? (UNIX) X-Digest: Volume 9 : Issue 4 In-Reply-To: <01I06C4XA6HQOK8IBB@csc.canterbury.ac.nz> > From: Lim Kok Hwee > I've been working on Unix platform for a few years now and have > never encountered any virus. Recently the top management of my > organization posed me the following questions: > > 1) Are there any viruses that infect programs on the Unix platform? Yes, a handful. They're not really worth losing any sleep over as they are extremely unlikely to be seen in-the-wild. More of a threat are PC viruses held in DOS files on a Unix system (where Unix is being used as a file server). > 2) Are there any anti-virus program that are the "antidotes"? S&S International (the company I work for) produce Dr Solomon's Anti-Virus Toolkit for Unix. This detects over 7500 PC viruses, as well as the Unix viruses too. Dr Solomon's AVTK can also disinfect virus infections and scan recursively inside PC compression formats (ZIP, LZH, ARJ, ARC, ICE, Diet, CryptCOM, PKLite, LZExe) without writing to the hard disk. You may like to visit our website or call one of our offices for more information. > 3) What are some of the things we can do to prevent virus infection > on the Unix platform? Well, everyone should do regular backups - and then verify that the backup is valid. You may also consider running a Unix virus scanner, such as Dr Solomon's version for Unix. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Thu, 18 Jan 1996 01:36:52 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: Word Macro Prank Virus (Concept) (WIN,MAC) X-Digest: Volume 9 : Issue 4 Martin Blay writes: >Word Macro Prank Virus (Concept) >Does anybody know of a good way of protecting against and cleaning up >this virus, I have tried the Microsoft Scanprot but this clashes with >Digital Teamlinks mail Version 2.5, and Norton Anti Virus with the >latest (January 96) update can only detect it when running a scan from >DOS but not from the Windows component. Also it cannot repair infected >files. Any help would be much appreciated. Martin, we currently have available a beta 2.3.0 in our ftp beta area to clean this virus for which we are seeking people to help test. And detection has been available for many months. For the other major products, most have detection now and only S&S and us have anything that cleans, except that I keep hearing that NAV cleans but you report otherwise. Jimmy cjkuo@mcafee.com [Moderator's note: Following my glib quip at the end of one of Jimmy's other postings, Jimmy asked: > Nick (moderator), could you please clarify the "commercial" rules? I'm working on re-writing the posting guidelines, etc (hopefully done tomorrow/Monday) but I doubt I'll be changing the "commercial postings" rules. As I read them, this submission is fine--it is direct, factual and not loaded with marketing hype. I think requests for beta-testers fall into much the same category as product announcements. If anyone has strong feelings about the posting guidelines (not just the "commercial posting" bits), please submit them to the list for public discussion or to me (n.fitzgerald@csc.canterbury.ac.nz) for off-line consideration.] ------------------------------ Date: Thu, 18 Jan 1996 08:40:21 -0500 (EST) From: Graham Cluley Subject: Re: Microsoft Macro Virus Protection Tool (WIN,MAC?) X-Digest: Volume 9 : Issue 4 In-Reply-To: <01I06C4XA6HQOK8IBB@csc.canterbury.ac.nz> gemini@iohk.com writes: > My company is currently using the Da Vinci email Software. > The software includes a LAUNCH icon for a user who wants to > automatically invoke Word6.0 when the attachment file is of > DOS extension .DOC. > > The installed microsoft macro protection tool ( SCANPROT.DOT ) > fails to detect a document with Winconcept virus. Dr Solomon's Anti-Virus Toolkit for Windows and Win95 includes a 32-bit VxD called WinGuard. This can intercept the same number of viruses as our command-line scanner FindVirus (including macro viruses), but with the benefit of running continuously, unobtrusively in the background. So if any of your users attempt to load an infected document WinGuard leaps in and prevents the infection warning the user that they have tried to access a document infected with Concept, Nuclear, Colors, or whatever virus it is. It also stops people copying infected files, emailing infected files, etc etc. This is a very effective way of stopping a macro virus outbreak dead in its tracks and does not rely on the user deciding whether it is safe to load the document or not. Some other anti-virus products also have VxDs, but I don't have any information as to which can also intercept word macro viruses. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Thu, 18 Jan 1996 10:40:00 -0500 (EST) From: Zvi Netiv Subject: Re: Word Macro Prank Virus (Concept) (WIN,MAC) X-Digest: Volume 9 : Issue 4 Martin Blay wrote: > Word Macro Prank Virus (Concept) > Does anybody know of a good way of protecting against and cleaning up > this virus, I have tried the Microsoft Scanprot but this clashes with > Digital Teamlinks mail Version 2.5, and Norton Anti Virus with the > latest (January 96) update can only detect it when running a scan from > DOS but not from the Windows component. Also it cannot repair infected > files. Any help would be much appreciated. A simple (and effective) approach would consist of the following: 1. Load the NORMAL.DOT template as a Word document, open the Tools/Macro menu, delete the parasitic macros, save NORMAL.DOT and close it. 2. Change the NORMAL template attributes to read-only with the DOS attrib command. If you are a system administrator and the NORMAL.DOT template is shared by all users from a server, then remove the users' modify rights in the templates directory. This will stop the spread of new documents. Now you can handle safely already infected documents. 3. Instead of relying on automated cleaning of documents, simply clean them manually with Word, the same way you cleaned the NORMAL template. You can use any scanner that identifies the presence of the macro viruses to spot the documents that need cleaning. Finally, you may wish to monitor the integrity of your template files to assure that they haven't been modified. Good integrity checkers will let you do so, InVircible is one possibility. Available from the sites in my signature. Regards, Zvi Netiv ....................................................................... NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 Developer & Producer of InVircible Web page: http://invircible.com/ E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 Ftp sites: ftp.datasrv.co.il/pub/usr/netz/ ftp.invircible.com/invircible/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Wed, 17 Jan 1996 10:18:42 -0500 (EST) From: Petra Herm Subject: Re: a good Anti-Virus for Win95? (WIN95) X-Digest: Volume 9 : Issue 4 Marcelo Medina wrote: > Can anyone suggest me a good anti-virus for win95? The Master Boot record on my PC was infected by a FORM_A virus and I tried McAfee AntiVirus for Win95 and F-Prot for Win95. Both detected the virus but neither could clean it. Norton Antivirus for Win95 was the only one that could clean it! Regards, Petra. Petra Herm email: hermpa@track.informatik.uni-stuttgart.de Petra.Herm@iao.fhg.de ------------------------------ Date: Wed, 17 Jan 1996 14:52:08 -0500 (EST) From: Jeff Weyenberg Subject: Windows95 Virus Scanner (WIN95) X-Digest: Volume 9 : Issue 4 Has anyone found a good Virus Scanner for Windows95? [This would seem to be the question of the moment--Moderator.] ------------------------------ Date: Thu, 18 Jan 1996 02:18:56 -0500 (EST) From: George Wenzel Subject: Re: Virus checking in Win95 ?? (WIN95) X-Digest: Volume 9 : Issue 4 >Well, I subscribed to this list a month ago, and forgot, since >nothing ever appeared. Here's why I subscribed: Are there any good >free Win95 virus checkers? We got virus protection with Win3.11, but >it appears to have vanished with Win95. Do I just use the probram >from Win3.11? If so, does anyone know how I can update the virus >signature list? The reason you didn't find any posts to this group was because it didn't have a moderator for several months. It was just recently revived. Firstly, DO NOT use MSAV, which comes with Windows 3.11. It is essentially useless. Numerous shareware anti-virus programs are available, and there are some out there that are Windows 95-specific. Check out http://www.valleynet.com/~joe For lots of information and Windows 95 anti-virus programs you can download. Also, I might note that you don't necessarily need a Windows-95 specific anti-virus scanner. Boot to DOS command-line mode and use a DOS-based scanner and it'll work fine that way. Regards, George Wenzel ------------------------------ Date: Thu, 18 Jan 1996 02:21:27 -0500 (EST) From: George Wenzel Subject: Re: a good Anti-Virus for Win95? (WIN95) X-Digest: Volume 9 : Issue 4 In article <0008.01I03RRV4IZ6OK843A@csc.canterbury.ac.nz>, Marcelo Medina wrote: >Can anyone suggest me a good anti-virus for win95? > >Please e-mail response to > Dr. Solomon's, Norton, Thunderbyte, F-Prot, McAfee, and others all have anti-virus software available for Windows 95. Do a web search for their company name, and check out their company websites for info on how to obtain the software. Regards, George Wenzel ------------------------------ Date: Thu, 18 Jan 1996 00:38:50 -0500 (EST) From: ArrowMkr Subject: Duck icon appears... (WIN) X-Digest: Volume 9 : Issue 4 I had just installed the v8 upgrade to QEMM and was running Uninstaller3 and asking for a list of Windows applications to analyze for deletion. The icons that appear by each program group were scrambled and a small light blue square appeared in the upper left hand corner of the screen with a black duck in the center. Is there a virus that is known to cause this behavior? I have scanned my hard disks with NAV and McAfee and found nothing. Thanks for any replys... Brian ------------------------------ Date: Wed, 17 Jan 1996 06:01:24 -0500 (EST) From: Graham Cluley Subject: Re: Quality Anti-Virus Programs (PC) X-Digest: Volume 9 : Issue 4 Our Man In Havana writes: > Is there any single anti-virus package that's regarded as head and > shoulders above the rest? I've used McAfee and am trying Thunderbyte > and am just wondering what other packages are around that are > considered good. Not too interested in Norton. > > Jerry Pournelle was always writing about some package in his column > but I can't remember what it was called. British, I think.... Jerry Pournelle uses and recommends Dr Solomon's Anti-Virus Toolkit, which is indeed developed in the UK. You can find independent comparative reviews and press cuttings (including some from Pournelle's column in Byte magazine) on our website: http://www.drsolomon.com You can also download an evaluation version of Dr Solomon's FindVirus for DOS (part of the commercial anti-virus toolkit) from our website also. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 17 Jan 1996 06:58:46 -0500 (EST) From: The Second Floor BBS Subject: RE: midnight crasher virus (PC) X-Digest: Volume 9 : Issue 4 It is almost certainly a virus, as there are many viruses in existence which do strange things late at night, also, since WIN95 detected an MBR write, that basically clinches the possibility. No normal program should ever write to the MBR except programs specifically designed to do so, i.e. SYS, MDISK, boot virus killers, etc. ------------------------------ Date: Wed, 17 Jan 1996 08:34:48 -0500 (EST) From: Vesselin Bontchev Subject: Re: Mutagen Virus found on CD (PC) X-Digest: Volume 9 : Issue 4 psterlin@i2020.net writes: > I received a Cd for christmas titled "When Two Worlds War". When I > started to run it Norton Anti-Virus told me one of the files > contained the mutagen Virus. I checked the CD twice and everytime I > get the same warning. I contacted Sierra Hmm... Mutagen is a very polymorphic virus and there is a chance that NAV is giving you a false positive - i.e., that there is no virus. Try a few other good scanners as well and if they don't detect anything - this means that NAV is wrong. Also, contact Symantec's tech support and ask them whether there is really a virus in that file or not. Even if there isn't one, you'll help them to improve their product by fixing a false positive. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Fri, 19 Jan 1996 02:50:08 -0500 (EST) From: Vesselin Bontchev Subject: Re: Mutagen Virus found on CD (PC) X-Digest: Volume 9 : Issue 4 psterlin@i2020.net writes: > I received a Cd for christmas titled "When Two Worlds War". When I started to > run it Norton Anti-Virus told me one of the files contained the mutagen Virus. > I checked the CD twice and everytime I get the same warning. I contacted Sierra > twice about this and they don't seem to care because they have not replied to my > E-mail and did not return my call (some took down all the info and then no ever I have examined the file in question and it is definitely NOT infected. NAV95 is causing a false positive. The file is a typical data file - it is even not executable. > I realise that this could be a false positive but for the time being I'm not It is one. > Has anyone else found a virus on > this game? There is none. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Wed, 17 Jan 1996 08:39:03 -0500 (EST) From: Vesselin Bontchev Subject: Re: FORM.A (PC) X-Digest: Volume 9 : Issue 4 Bill Sempf writes: > some infected SmartSuite disks. I need to know how a boot sector > virus gets from floppy to hard drive. By forgetting an infected floppy in drive A: at boot time. > Is it only from 'booting' from > a floppy? Or by *attempting* to boot from it. The attempt doesn't have to be successful, in the case of Form.A. > Can you _not_ get it from a file downloaded from the > Internet or other online service? It is always possible to create a Trojan horse - a program which installs the boot sector virus on your disk when you run it. Such things are called "Droppers" but they are rare. You almost certainly got it by forgetting an infected floppy in drive A: at boot time. If your CMOS configuration allows that, make your computer always boot from drive C: - this will save you such problems in the future (that is, it will prevent all pure boot sector viruses). Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E [Moderator's note: Not to detract from Vesselin's fine answer, the question is in this group's FAQ list and I'm likely to stop approving such posts soon...] ------------------------------ Date: Wed, 17 Jan 1996 08:44:57 -0500 (EST) From: Oliver Wegner Subject: Virus WINDEL (PC) X-Digest: Volume 9 : Issue 4 Could anybody tell me what the virus WINDEL (McAfee Scan found it) does ? Oliver ------------------------------ Date: Wed, 17 Jan 1996 10:20:08 -0500 (EST) From: Petra Herm Subject: Re: FORM.A (PC) X-Digest: Volume 9 : Issue 4 Bill Sempf wrote: > Hi. I am tracing an infestation of FORM.A I may have > contracted from some infected SmartSuite disks. I need to know how > a boot sector virus gets from floppy to hard drive. Is it only from > 'booting' from a floppy? Can you _not_ get it from a file > downloaded from the Internet or other online service? I got it (still have), and I never booted from a floppy. I also had some diskettes infected, so I am sure you can get it after inserting an infected diskette in your floppy. I think it happens while your system is reading the FAT. regards, Petra. Petra Herm email: hermpa@track.informatik.uni-stuttgart.de Petra.Herm@iao.fhg.de [Moderator's note: See previous posting from Vesselin Bontchev on this. You get BSI/MBR viruses by attempting to boot from infected diskettes. There are (currently) no known, widely distributed droppers. Some AV s/w -incorrectly- reports active infections following a "dir listing" of a floppy. I think this is Petra's problem. Look in the FAQ--there are several Q&A's relating to this phenomenon.] ------------------------------ Date: Wed, 17 Jan 1996 10:43:24 -0500 (EST) From: "Shankland, David B RV" Subject: F-PROT: Request for Help (PC) X-Digest: Volume 9 : Issue 4 We have an installation of over 1500 PCs on Novell file servers, and are having difficulty installing F-PROT for Windows (V 2.19a.1) and Dynamic Virus Protection (DVP--runs in background under Windows) with a pilot group of engineers. Each PC is configured somewhat differently, and the PC users have said that they cannot install these products without memory contention, system hangs, and random reboots. I have all 4 products installed, F-PROT for DOS, VIRSTOP (runs in background under DOS), F-PROT for Windows, and DVP, and I have had no problems at all. Of course, I am not running engineering applications, either. Part of my dilemma is that we are required by ISO-9000 auditors to have automatic virus detection on all PCs. To quote the audit finding: "Need for automatic virus detection to be installed and maintained on all machines in a controlled way." We are running NET-PROT on our file servers. Is there any way to ensure that PC users have, first of all, installed F-PROT for Windows, and secondly, that they are using/running Dynamic Virus Protection (DVP)? We have been unable to determine how the utilization can be required and enforced. What have other large companies done with F-PROT for Windows and DVP? Is there any logging that monitors this situation? Your input will be appreciated. Dave Shankland, Computer Security Officer, Unisys Corp. dbs1@rsvl.Unisys.com or Shankland@dockmaster.ncsc.mil ------------------------------ Date: Wed, 17 Jan 1996 11:20:56 -0500 (EST) From: al proulx Subject: stoned.empire.monkey.B 'post-disinfection' problems??? (PC) X-Digest: Volume 9 : Issue 4 The computer at our office, as well as my home computer, were infected with the 'Stoned.Monkey.Empire.B' virus. I was able to get if off with F-Prot (what a wonderful program??). While the virus was on there, the computers were acting kinda funny (eg. running slow, hard drive seemed to be working all the time, some files appear to be missing without a trace, disruption of Windows 3.11 32-bit disk access system???). It seems to be OK now. Both computers are 486s running Windows 3.11 (the office one is a Dx-66 while mine is a Dx-100). Are there any known major targets for this virus & should I check any system files for known 'points of attack'?? The computers seem to be working OK now but it's hard to tell if this virus has done any other damage(s). Thanks...please reply to 'COMP.VIRUS', 'VIRUS-L' or directly by e-mail. ------------------------------ Date: Wed, 17 Jan 1996 12:29:16 -0500 (EST) From: Fridrik Skulason Subject: Re: Virus Database (PC) X-Digest: Volume 9 : Issue 4 In <0002.01I03RRV4IZ6OK843A@csc.canterbury.ac.nz> Pube? writes: >Can anyone point my to a good database of all known virus, with > description and such. Sorry, there is no such thing. VSUM is not "good", and besides, it only describes a small part of the 8000 or so viruses that exist. AVPs descriptions are accurate, but not very extensive...the database in my own F-PROT is badly outdated (but we are finishing a replacement) -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Wed, 17 Jan 1996 17:17:35 -0500 (EST) From: Jean-Francois Fortin Subject: Invircible (PC) X-Digest: Volume 9 : Issue 4 Does anyone know where Invircible is available? It is a small antivirus program from Israel that uses a new concept in virus detection. Apparently it ranks among the best in detecting viruses. I read somewhere that it detected all the viruses that were submitted to it. It works by setting up the computer in a state in which the virus is likely to come into action or become active and if it manifests itself it stops the virus. Anyone know where I can find this little wonder? [I read somewhere Elvis was alive and playing in Brazil...-Moderator 8-)] ------------------------------ Date: Wed, 17 Jan 1996 17:20:23 -0500 (EST) From: Denis McKeon Subject: Re: F-Prot shareware version status? (PC) X-Digest: Volume 9 : Issue 4 [followup both posted and mailed to poster] In <0022.01I03RRV4IZ6OK843A@csc.canterbury.ac.nz>, Neil R. Marsh wrote: > Has there been a change in the status of the shareware version > of F-Prot? There's no sign of the expected December release on > risc.ua.edu as of a couple of days ago, and http://www.datafellows.com > doesn't address it, just F-Prot Professional (although I may have > missed something). F-Prot 2.21 of Dec. 18 1995 is at: ftp://oak.oakland.edu/SimTel/msdos/virus/fp-221.zip No change in status that I can see. Works well, as always. - - Denis McKeon dmckeon@swcp.com ------------------------------ Date: Wed, 17 Jan 1996 17:21:23 -0500 (EST) From: Doug Muth Subject: Re: Quality Anti-Virus Programs (PC) X-Digest: Volume 9 : Issue 4 In article <0030.01I03RRV4IZ6OK843A@csc.canterbury.ac.nz>, Po Kwok writes: : I am not sure which one is the best, but you may have a look at the : following sites for an introduction to some common anti-virus : programs: : 1. http://www.tucows.com/virus.html : 2. http://ciac.llnl.gov/ciac/ToolsDOSVirus.html Let's mention my AV homepage as well. :) http://www.ot.com/~dmuth/virus/virus.html I have links to some of the better p\AV products and, AFAIK mine is the only one that carries ARF 2.4 which is a behavior bloacking program similar to TBAV's TSR programs. Regards, - - - --------| Finger dmuth@oasis.ot.com for - -------| PGP public key and geek code ------------------------------ Date: Wed, 17 Jan 1996 18:13:35 -0500 (EST) From: Jeff Koppenhaver Subject: ILOVE (PC) X-Digest: Volume 9 : Issue 4 Does anyone have any info on this virus, F-Prot seemed to ID it, but I don't see it listed anywhere in the lists. ------------------------------ Date: Wed, 17 Jan 1996 21:45:30 -0500 (EST) From: Bruce Riddle Subject: Re: Virus Database (PC) X-Digest: Volume 9 : Issue 4 Pube? wrote: > > Can anyone point my to a good database of all known virus, with > descriptions and such. Try http:/www.symantec.com/virus/virus.html/ dig a little. Fairly complete ------------------------------ Date: Wed, 17 Jan 1996 21:47:20 -0500 (EST) From: Bruce Riddle Subject: Re: Sampo (PC) X-Digest: Volume 9 : Issue 4 Leong Pe Loon wrote: > > Greetings, one and all. Has anybody encountered the Sampo virus? I saw > it on a friend's machine. Nothing could remove it. It apparently > affects the boot sector, is identified most of the time but f-prot, like > the rest, says it wouldn't try to remove it. Help? I've removed it succesfully with mcaffee 2.17 ------------------------------ Date: Wed, 17 Jan 1996 23:06:36 -0500 (EST) From: Bryan Lewis Subject: Re: midnight crasher virus? (PC) X-Digest: Volume 9 : Issue 4 In a previous post I wrote: >Anyone heard of this one? When an application writes to the hard disk, >the disk locks up in what appears to be a disk failure. Perpetual retries, >thrashing, has to be cold-booted. Has happened on two different PC's, >running DOS 6.2. >It always happens shortly after midnight! Every one of about a dozen >occurrences happend between 12 midnight and 12:30. Strange... >I even worked around it once by resetting the PC's clock to 1 am. >I've tried replacing the I/O card and cable and hard disk. I bought McAfee VirusScan for DOS, and it quickly identified the problem as the NYB virus, whatever that is. And fixed it. Another symptom I hadn't mentioned was the inability to format floppies. All fixed. I ran it at work, and found three other machines that had the NYB. And two that had the WELCOMB, whatever that is. McAfee identified it but couldn't fix it. Those machines have shown no symptoms as far as we know. Microsoft's AV had no clue what was going on. [Moderator's note: Thanks for the followup. I'm closing this thread now unless I get some really interesting followup... And this may surprise readers, but the FAQ has some views on MSAV too...] ------------------------------ Date: Thu, 18 Jan 1996 00:04:38 -0500 (EST) From: "Neil R. Marsh" Subject: Re: F-Prot shareware version status? (PC) X-Digest: Volume 9 : Issue 4 In article <0022.01I03RRV4IZ6OK843A@csc.canterbury.ac.nz> neilm@halcyon.com writes: > > Has there been a change in the status of the shareware > version of F-Prot? Thanks to the many who responded. For others in the same boat as I, look at ftp://oak.oakland.edu Cheers! Neil Neil Marsh neilm@halcyon.com NeilM@LocalAccess.com ------------------------------ Date: Thu, 18 Jan 1996 01:18:02 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: Fwd: Request for Virus Info (PC) X-Digest: Volume 9 : Issue 4 Cashwellme@aol.com writes: > I received a report from one of our offices that they have several PCs >infected with the "Viral Code B" virus. After lengthy discussions, they >claim it is a boot sector virus (if at all?) which they detected using CPAV, >which is not able to clean or disinfect this "virus". I did some extensive >research into the current listing of existing virus databases with no >success. The closest description I come to is "Virus B" which by all >accounts does not define the same symptoms as what is being reported. Do you >have any information on such a virus, if it is a virus at all, and whether it >exists, either under this name or an alias? As I recall, it is CPAV's way of having it's heuristics tell you, "You have a virus in your boot sector but I don't know what it is." (It's heuristics after all.) You need to get them to get you a copy of an infected diskette and try some other scanners on it to identify it. If none of the other scanners say it's a virus, pick one or more of the vendors and send them a copy. If some say it's a virus but others not, send it to one of the minority companies. They'll either need it to beef up their detections or they'll be glad to tell you that it's not a virus and that the others are wrong. Jimmy cjkuo@mcafee.com ------------------------------ Date: Thu, 18 Jan 1996 01:22:30 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: HOw to kill Quox (PC) X-Digest: Volume 9 : Issue 4 I'm a good man writes: >Just wonder if scanv228 can kill this virus or any other programs that >can kill it? Let's see, how do I answer this without being commercial? :-) Yes. The virus is more than a year old so most any up-to-date AV product should also be able to remove it. Jimmy cjkuo@mcafee.com [Very restrained Jimmy!!--Moderator.] ------------------------------ Date: Thu, 18 Jan 1996 01:38:47 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: FORM.A (PC) X-Digest: Volume 9 : Issue 4 Bill Sempf writes: > Hi. I am tracing an infestation of FORM.A I may have contracted from >some infected SmartSuite disks. I need to know how a boot sector >virus gets from floppy to hard drive. Is it only from 'booting' from >a floppy? Yes. In the "natural" infection scenario. >Can you _not_ get it from a file downloaded from the >Internet or other online service? It can only happen if someone created a dropper but this is not likely. There's a very good chance that if someone did that, that we in the AV industry would be made aware of that situation. Jimmy cjkuo@mcafee.com ------------------------------ Date: Thu, 18 Jan 1996 01:48:16 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: Prometeus (PC) X-Digest: Volume 9 : Issue 4 EPAREDES@CCVM.SUNYSB.EDU writes: >Does anyone have any information about a virus called Prometeus? >I have checked several anti-virus programs(inc. Norton AV) but I >cannot find it in any list. Have not heard of it. How did you come upon the name? (I believe there's something in the FAQ about asking questions like this.) Jimmy cjkuo@mcafee.com [Moderator's note: There -is- something in the FAQ. At the risk of sounding like a parrot, look up question F4.] ------------------------------ Date: Thu, 18 Jan 1996 04:43:47 -0500 (EST) From: Stranded Subject: DH2 Virus X-Digest: Volume 9 : Issue 4 Can anyone tell me how to kill DH2??? and it infect Win95 files? And what about DH2 and Windows NT? Thanks ------------------------------ Date: Thu, 18 Jan 1996 07:25:48 -0500 (EST) From: Carlton Jones Subject: Electronic Mail Attachments and Viruses? X-Digest: Volume 9 : Issue 4 I'm interested to see how support staff are addressing the problem of making sure that people receiving email attachments get them extracted and virus checked. We currently use Digital TeamLinks 2.1 and ideally, it would be great to get incoming attachments automatically virus scanned before being passed to the user. Later this year we'll be moving to MS Mail and looking for a solution on that platform too. ------------------------------ Date: Thu, 18 Jan 1996 08:11:59 -0500 (EST) From: Fred Cohen Subject: Re: Are there any virus on Unix? (UNIX) X-Digest: Volume 9 : Issue 4 > From: Pete Radatti > > From: Lim Kok Hwee > > I've been working on Unix platform for a few years now and have > > never encountered any virus. Recently the top management of my > > organization posed me the following questions: