VIRUS-L Digest Friday, 2 Feb 1996 Volume 9 : Issue 9 Today's Topics: (Fwd) HUGE WINDOWS 95 SECURITY HOLE!!!! Re: (Fwd) HUGE WINDOWS 95 SECURITY HOLE!!!! Re: (Fwd) HUGE WINDOWS 95 SECURITY HOLE!!!! Re: Virus Scanner for E-Mail Attachment?? Re: Can a computer get a virus from the internet? What are the best Integrity Checkers? zingo day arrives virus?? Tech. Info. Shareware beasties There is no escape from the worst virus ever! Re: Virus Database Status of AV-Scanner for NOVELL Netware 4.1? (NW) Antiviral software recommendations (MAC) Re: Help with Word macro virus on network (MAC,WIN) Re: Windows95 Virus Scanner (WIN95) Re: a good Anti-Virus for Win95? (WIN95) Re: Virus checking in Win95 ?? (WIN95) "REMEMBER THE BIKE TEAM" virus (WIN) Windows based A: drive guardian? (WIN) ANTICMOS A / Boot Sector question (PC) Re: Need info on MONKEY_A virus (PC) Re: Need help: AntiEXE virus (PC) telecom 2 virus (PC) Is this a virus? (PC) Re: F-PROT: Request for Help (PC) TBWEEDER - A duplicate file checker (PC) Re: Disk/file corruption virus related? (PC) Re: Need info on MONKEY_A virus (PC) RE: VET as an anti-bugger (PC) Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC) F-PROT: Request for Help (PC) parity boot b? (PC) EXE_BUGD -bad news- (PC) Re: Need help: AntiEXE virus (PC) Re: McAfee upgrades? (PC) Re: Quality Anti-Virus Programs (PC) Re: Mysterious hidden files. Virus? (PC) Re: Mutagen Virus found on CD (PC) RE: F-PROT: Request for Help (PC) Re: anti-cmos.a (PC) What does SHZ do? (PC) HELP (PC) Re: DH2 Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CS.UCR.EDU. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 17 Jan 1996 03:13:00 -0500 (EST) From: Otto Stolz Subject: (Fwd) HUGE WINDOWS 95 SECURITY HOLE!!!! X-Digest: Volume 9 : Issue 9 [Moderator's note: Many of you will have seen or heard of this by now. I recommend that you read Vesselin's response (following item) if you haven't already seen that.] - -- Forwarded mail from RISKS@CSL.SRI.COM RISKS-LIST: Risks-Forum Digest Tuesday 16 January 1996 Volume 17 : Issue 64 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Date: Sat, 13 Jan 96 20:02:15 PST From: olcay@libtech.com (olcay cirit) Subject: HUGE WINDOWS 95 SECURITY HOLE!!!! I've just discovered a huge security hole in Windows 95 that affects ALL 32-bit virus scanning programs. The hole prevents A/V programs from accessing specially named files. To understand how it works, you have to know a little bit about how DOS works: In DOS, when a file is deleted, the first character in the file name is overwritten with ASCII character 229, and it is removed from the File Allocation Table (FAT). DOS does lets you use ASCII 229 as the first character of filenames and directories without any problems, though. With windows 95, however, if it detects that the first character of any file or directory is ASCII 229, it will tell you that the file does not exist, even though this is not true. I tested out McAfee's latest ViruScan 95, and it could not access infected files in directories starting with ASCII 229. Additionally, files starting with ASCII 229 that were infected came up as uninfected. It is interesting to note that old DOS-based scanners still work. Potential RISKS include: * Viruses that have specially named data files to prevent detection * Viruses that store a copy of themselves in a protected directory and infect from there. NOTE that this appears to be a problem with Windows 95, not the virus scanners. Specifically, the built-in file querying routines. I can't think of any workable solutions to the problem offhand. Olcay Cirit -- olcay@libtech.com http://www.libtech.com/olo2.html - --End of forwarded mail from RISKS@CSL.SRI.COM ------------------------------ Date: Tue, 23 Jan 1996 14:37:23 +1300 From: Vesselin Bontchev Subject: Re: (Fwd) HUGE WINDOWS 95 SECURITY HOLE!!!! X-Digest: Volume 9 : Issue 9 1) If you try to create a file with the Alt-229 character as the first character of its name and if you do that from the command line (e.g., using COPY, REN, etc.), then the file that will be created will have the Alt-005 character in the first position of its name and will be accessible to the file manipulating functions (FindFirst/FindNext, Open, Read, Write, Close, Unlink, etc.). This happens *both* under DOS and Win95. 2) If you create a file with a "normal" name and then use some kind of disk editor to edit the directory entry and change its first character to 0E5h (i.e., the hexadecimal equivalent of Alt-229), then the file will "disappear" for the file manipulating functions - it will be considered to be deleted, because the operating system marks the deleted files like that. If you run a "disk fixing" program like CHKDSK or SCANDISK, it will complain about the lost clusters that used to belong to that file and are now considered unused by any existing file. Again, this happens *both* under DOS and Win95. So, no news at all. Of course, both DOS and Win95 are huge security holes by themselves, but this is not news either. :-) Finally, maybe someone could say something about the RISKS of incompetent users spreading panic around instead of consulting an expert first... :-)) Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 23 Jan 1996 17:55:12 +0200 From: ts@UWasa.Fi (Timo Salmi) Subject: Re: (Fwd) HUGE WINDOWS 95 SECURITY HOLE!!!! X-Digest: Volume 9 : Issue 9 Thank you for your contribution. This upload is now available as 965566 Jan 6 16:41 ftp://garbo.uwasa.fi/pc/virus/vsumx512.zip : Date: Tue, 23 Jan 96 07:33:18 PST : From: rwyoun1@PacBell.COM (Randy Young) : To: pc-up@uwasa.fi : Subject: VSUMX512.ZIP Patricia Hoffman's virus summary for 12/95 : : File name: vsumx512.zip : One line description: Patricia Hoffman's virus summary for 12/95. : Replaces: vsumx***.zip : Suggested Garbo directory: pc/virus : Uploader name & email: Randy Young rwyoun1@pacbell.com : Author or company: Patricia Hoffman : Email address: : Surface address: : Special requirements: : Shareware payment required from private users: $30.00 : Shareware payment required from corporates: : Distribution limitations: : Garbo CD-ROM distribution allowed: : Demo: : Nagware: : Self-documenting: : External documentation included: : Source included: : Size: : 10 lines description: Patricia Hoffman's Virus Summary in HyperText : format for ease of use. Look up viruses, how : to detect, what they do and how to remove. : Also a fairly up to date listing of virus : detectors and their ratings. All the best, Timo ................................................................... Prof. Timo Salmi Co-moderator of news:comp.archives.msdos.announce Moderating at ftp:// & http://garbo.uwasa.fi archives 193.166.120.5 Department of Accounting and Business Finance ; University of Vaasa ts@uwasa.fi http://uwasa.fi/~ts BBS 961-3170972; FIN-65101, Finland ------------------------------ Date: Tue, 23 Jan 1996 14:35:55 -0500 (EST) From: Evan Rosenbaum Subject: Re: Virus Scanner for E-Mail Attachment?? X-Digest: Volume 9 : Issue 9 Vesselin Bontchev writes: >Jim Jepson writes: >> Does anyone know of a product that will scan uuencoded (or mime) >> attachements on internet (SMTP) e-mail messages?? > >A company called Integralis is supposed to sell something like that; a >product called MIMEsweeper. AFAIK, it uses third-party scanners to >scan the e-mail (cc:Mail) message before you download them. I have >never seen it but according to the information in "Virus Bulletin", >you can contact David Guyatt for more information. I seem to recall reading about this in the last couple of weeks. It might have been in InfoWorld. The writeup said that MIMEsweeper automatically decodes all attachments and uses a user provided AV program ( i.e. F-PROT or NAV) to examine the resulting file. If a virus was detected, the file would be segregated and the user would be notified, I think. ------------------------------ Date: Tue, 23 Jan 1996 07:02:13 -0500 (EST) From: Zvi Netiv Subject: Re: Can a computer get a virus from the internet? X-Digest: Volume 9 : Issue 9 dmr20a50 <"D Rose"@u.cc.utah.edu> wrote: > I am using the Dial up Networking with WIN95 to connect my PC to an > university account. Can a virus infect a computer by downloading image > files, sound files, and other types of files from Web sites? Can you get > a virus just by going to a Web site? If so, will a anti-virus program > detect it? Although it may look the contrary, the Internet is safer than buying software from the store, from the standpoint of virus integrity! First, viruses are contracted only by running an infected program. This includes booting from a boot-infected floppy, as boot infection are not transferred via the net, unless you downloaded a dropper - which is very unlikely. Image and sound files are not programs, they are data, and thus will not replicate, which is how an infection starts spreading in a newly infected machine. It's possible of course to download an infected file from the Internet to your hard disk but nothing will happen until you actually run the infected program. Therefore, scan every new download with a quality scanner. There is no need to do it online while downloading, it can be done safely afterward. Since web-antiviral are based on the same principles as their offline equivalent then they suffer from the same susceptibility to false alarms, and it's bad enough the way it is right now. It will only get worse with time because of the constantly increasing number of viruses (8000+ at this date). Something users usually ignore: Only DOS file infectors constitute a threat. There are practically no real Windows application infectors and since most Internet programs run as such then the possibility to infect this way is very unlikely. I know I'll be jumped on with the inevitable question about the macro viruses. To protect yourself from these, associate the *.doc filespec in your net browser with the Microsoft's free Word Viewer instead with Winword. What is there to edit online in a Word doc? :-) Besides, the macro viruses is a localized issue, not a general one. And lastly, software on the Internet is open to the scrutiny of many eyes. This means that unintentionally infected software is noticed pretty fast and can be replaced in minutes. Compare this to software from stores, where you have to rely sometimes on the competence in virus matters of a single individual at the production end, or worse, the software could have been infected in the store, or returned infected by a careless user, re packed and sold to you! Get an up-to-date scanner, use it for offline screening of software, install generic antivirus and use it for online protection and don't worry about viruses, from the Internet or else. Regards, Zvi Netiv ....................................................................... NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 Developer & Producer of InVircible Web page: http://invircible.com/ E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 Ftp sites: ftp.datasrv.co.il/pub/usr/netz/ ftp.invircible.com/invircible/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Tue, 23 Jan 1996 04:10:31 -0500 (EST) From: Al Kimel Subject: What are the best Integrity Checkers? X-Digest: Volume 9 : Issue 9 While a number of comparative evaluations of scanners are available, one notes an absence of comparative evaluations of integrity checkers. If a competent someone were to ever do such an evaluation, they would be doing all of us a real service. In the meantime, I'd be interested in hearing people's opinions, with the why's and whynot's. TIA. Al Kimel ------------------------------ Date: Tue, 23 Jan 1996 23:59:54 -0500 (EST) From: Ted Rollheiser Subject: zingo day arrives virus?? X-Digest: Volume 9 : Issue 9 Does anyone have any information about a virus one of the effects of which is the appearance of the words "zingo day arrives" during the booting process ? ------------------------------ Date: Wed, 24 Jan 1996 00:07:05 -0500 (EST) From: Sudhir.Ostwal@giasmd01.vsnl.net.in Subject: Tech. Info. X-Digest: Volume 9 : Issue 9 I am a programmer in C++ , from where I can get technical and program details of viruses so that I can write a vaxxine for that ------------------------------ Date: Wed, 24 Jan 1996 00:07:00 -0500 (EST) From: "Thomas F. Hosmer Sr." Subject: Shareware beasties X-Digest: Volume 9 : Issue 9 I have been lurking and learning for some time now and thanks to some of the posts I have read have been able to detect and remove one virus from my system and am still learning from you guys. I have one question thats been bothering me. Like many others who have an affinity for the web I like trying shareware. Usually only keeping one out of a couple of dozen, deleting the rest. The other day some one told me many of the shareware programs I deleted left small programs hidden on my hard drives keeping track to make sure I never use them for more then the alloted shareware time. My question is this: If there are little programs hidden, running always checking to see if the program is reinstalled could these have a negetive effect on ones system, like a virus? I recently reformated my "C" drive because I seemed to be running a little slower and had a little less memory then I thought I should. I scanned for viruses with 3 programs and they showed a clean system, memory, boot sector, files etc. Is it possable an accumulation of these small shareware leftovers could have caused the problem. I hope this question is appropriate to this group and look forward to your responces. Thanks for all the info I've already gleaned from this group. Thomas Hosmer (thosmer@epix.net) ------------------------------ Date: Wed, 24 Jan 1996 02:24:40 -0500 (EST) From: Big Dog Subject: There is no escape from the worst virus ever! X-Digest: Volume 9 : Issue 9 I am so horrified that I can barely type. This venomous virus is immense! It actually has to use over 20 floppies as its host to transfer all of its destructive power. The real kicker is how people are unknowingly lining up to get their hands on this monstrosity. They pay real money, purposefully continue to feed in the floppies until the beast is unleashed within their machine. I have heard that this virus is so lumbersome that it cannot do any damage unless you get all the floppies in your machine and run the harmless looking executable. When this horrible entity gets into your machine, its changes things so much that no tech support jock in the world can help you without simply putting a shotgun to your head. Don't worry about what this virus is called, you'll find out soon enough. When you do find out, tell the tech support guys that William G. sent you [Moderator's note: I probably wouldn't "normally" post this, but faced with the prospect of having to upgrade to and support this software at work, it appealed...] ------------------------------ Date: Wed, 24 Jan 1996 04:28:15 -0500 (EST) From: "Mikko H. Hypponen" Subject: Re: Virus Database X-Digest: Volume 9 : Issue 9 Pube (i951636@redgum.bendigo.latrobe.edu.au) wrote: > Can anyone point my to a good database of all known virus, with > descriptions and such. I've had a look at the virus information databases in the World Wide Web, and I think our own database is the most extensive one. It is updated regularily, is quite accurate and covers most of the viruses you would want to know about. Our database has been available on the web since June, 1994. For example, somebody else in the latest digest was searching information on a virus which always crashed his machine after midnight. He had no idea on the name of the virus, but a search on our database with keywords 'midnight' and 'crash' found the description of the B1 aka NYB virus, with the following paragraph: This virus will crash the machine if the hard disk is written to when the hour and minute fields of the system clock are zero (ie. right after midnight). The virus description database is mirrored in USA and Europe for faster access: choose either www.DataFellows.com or www.Europe.DataFellows.com as your starting point. Greetings, MHH (one of the Webmasters at Data Fellows) - - Mikko Hermanni Hypponen - Mikko.Hypponen@DataFellows.com Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com Computer virus information available via web: http://www.DataFellows.com/ ------------------------------ Date: Thu, 25 Jan 1996 07:37:13 -0500 (EST) From: Hans Nellissen Subject: Status of AV-Scanner for NOVELL Netware 4.1? (NW) X-Digest: Volume 9 : Issue 9 please can anyone post me the actual status of AV-Scanner for Novell Netware 4.1,preferred public domain/shareware and where to get it? With regards Hans Nellissen ______________________________________________________________________ Philosophisches Institut Email:dbphilos@uni-duesseldorf.de Abt. Informationswissenschaft Phone: ++49 211 81 14137 Heinrich-Heine-Universitaet Fax : ++49 211 81 12917 40225 Duesseldorf Universitaetsstr. 1 ------------------------------ Date: Wed, 24 Jan 1996 15:18:56 -0500 (EST) From: Guy Pontecorvo Subject: Antiviral software recommendations (MAC) X-Digest: Volume 9 : Issue 9 I am new on this list and am looking for first hand recommendations for antiviral software for Macintosh computers that can be run over a network. I am mostly interested in your personal experience (how comprehensive, ease of use, effectiveness) with virus detection software products. Thanks, Guy pontecorvo _________________________________________________________________________ Pacific Data Management, Inc. Work: 408-283-5900 x34 55 South Market St., Suite 1410 FAX: 408-283-5903 San Jose, CA 95113 Home: 415-365-4444 E-Mail: guy@pdm-inc.com Beeper: 408-787-7363 PDM WEB Page: http://www.pdm-inc.com _________________________________________________________________________ ------------------------------ Date: Tue, 23 Jan 1996 07:02:14 -0500 (EST) From: Zvi Netiv Subject: Re: Help with Word macro virus on network (MAC,WIN) X-Digest: Volume 9 : Issue 9 Name wrote: > The network that I am currently on has had an OVERWHELMING number of > infections by the Wordmacro/Concept virus. Our department (Engineering > Computer Services) has been looking for about 3 months now to find a > solution to this growing problem. We thought we had a macro that would > disinfect for us, but the Wordmacro virus just trashed it. Any > suggestions/help you have for me would be greatly appreciated, as the > users are starting to get a little upset with us. To stop the creation of newly infected documents you need just to clean and protect the NORMAL template, to prevent the crosslinking of a macro virus to new docs. Clean the NORMAL.DOT template(s) and change its attributes to read- only so that it won't get modified. For a shared NORMAL template (in a network), also remove the users' modify rights so that they cannot change it back. It's also possible to add in the login script a procedure that will run a customized check whether the user's machine has a specific protection in place and reject the login if the logging user does not qualify. We have done such things for high security users, here. It can be as simple as batch style "IF NOT EXIST etc... " to writing your own dedicated little program. We also found that monitoring the templates' integrity is effective in preventing reinfection. Take a look at appendix G in InVircible's online manual, you may find additional ideas there. Available from the sites in my sig. Regards, Zvi Netiv ....................................................................... NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 Developer & Producer of InVircible Web page: http://invircible.com/ E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 Ftp sites: ftp.datasrv.co.il/pub/usr/netz/ ftp.invircible.com/invircible/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Tue, 23 Jan 1996 15:04:55 -0500 (EST) From: "Jacob Windy So, aka Su Ya Ge, or So Nga Kok" Subject: Re: Windows95 Virus Scanner (WIN95) X-Digest: Volume 9 : Issue 9 Jeff Weyenberg wrote: > Has anyone found a good Virus Scanner for Windows95? > > [This would seem to be the question of the moment--Moderator.] YES!!! You can download it from http://www.mcafee.com/ - - Jacob (Jacob-So@UIowa.edu) (http://www2.giant.net/people/windy/) ------------------------------ Date: Tue, 23 Jan 1996 18:29:46 -0500 (EST) From: Khufu Subject: Re: a good Anti-Virus for Win95? (WIN95) X-Digest: Volume 9 : Issue 9 Marcelo Medina wrote: > > Can anyone suggest me a good anti-virus for win95? MarceloMcAfee's VirusScan95, version 2.0 available from "http//www.windows95.com" Good luck, Ron V ------------------------------ Date: Wed, 24 Jan 1996 16:26:35 -0500 (EST) From: Neil Allen Subject: Re: Virus checking in Win95 ?? (WIN95) X-Digest: Volume 9 : Issue 9 George Wenzel wrote: >Firstly, DO NOT use MSAV, which comes with Windows 3.11. It is >essentially useless. What about the "verify integrity" feature of MSAV? I realise MSAV has a poor reputation - I am currently using F-PROT - however, is there an optimum way of combining the two - perhaps using F-PROT for the scan and the VIRSTOP feature, and MSAV for the integrity check - or is MSAV so bad it`s not worth bothering with at all? Thanks for any advice. - - Neil D. Allen nallen@micronet.fr [Moderator's note: There are many reasons to not use MSAV. Read the FAQ (the v2 one!) and find the pointers to some of the technical reviews of MSAV.] ------------------------------ Date: Tue, 23 Jan 1996 15:01:29 -0500 (EST) From: macondo@terraport.com Subject: "REMEMBER THE BIKE TEAM" virus (WIN) X-Digest: Volume 9 : Issue 9 Anyone come across this virus which seems to temporarily lock up your screen and display "REMEMBER THE BIKE TEAM" (WINDOWS) Origin and method of cleanup would be asking too much, but if you can... Many thanks for your response. ------------------------------ Date: Tue, 23 Jan 1996 23:21:10 -0500 (EST) From: Jim McGrady Subject: Windows based A: drive guardian? (WIN) X-Digest: Volume 9 : Issue 9 Is there a freeware/shareware util for Windows that will check any inserted floppy disk for viruses without scanning the hard drive ? If there is nothing for Windows 3.1, is there a DOS TSR that would do the same thing ? Please reply via email - - Jim McGrady jimm@fcs.wa.gov.au ------------------------------ Date: Tue, 23 Jan 1996 04:10:35 -0500 (EST) From: "David A. Laatz" Subject: ANTICMOS A / Boot Sector question (PC) X-Digest: Volume 9 : Issue 9 I found a virus on a Toshiba prtable runing Windows 3.11. I downlaoed McAfee from the Net and cleaned the problem on the protable. Now the floppies I used to move Mcafee to the portabel are infected with the ANTICMOS A virsu in the boot sector. Mcaffe cannot seem to remove the virus. All is does is report the virus with no actions taken. Are these disks permanently infected and of no use or am I missing something. Any explaination would be of hreat help. Thanks! David A. Laatz Information Systems Counsulting Group, Inc. ------------------------------ Date: Tue, 23 Jan 1996 07:02:16 -0500 (EST) From: Zvi Netiv Subject: Re: Need info on MONKEY_A virus (PC) X-Digest: Volume 9 : Issue 9 "William R. Mangan, Jr." wrote: > I recently ran across the virus MONKEY_A on several diskettes from > another department. I was able to clean the virus (using McAfee > VirusScan 2.2.9), but I can not find any information from VSUM 507 on > this particular virus. Monkey is one of the most prevalent boot-partition infectors. I suppose you are interested in the damage caused by this virus. So, be at rest, Monkey does not damage data or programs and once removed from disks and floppies there is nothing to be concerned about anymore. Among the peculiarities of Monkey it's worth mentioning the following: Monkey uses stealth, it affects the master partition sector of all the installed hard drives (quite many machines have two IDE, and SCSI can be chained with more than two), yet most problematic about Monkey is that when infected, you cannot access the hard drives from external (floppy) booting. Oh, almost forgot to mention that FDISK/MBR will remove Monkey alright ...together with removing access to the hard drive. So, don't even try it! Most modern antivirals can remove Monkey safely, our own IV even does it without needing to boot clean (if you have an IDE drive). ;) There are a couple of programs dedicated to handle Monkey. A good one is KILLMNK3 by Tim Martin (get from SimTel) and there is my own, XMonkey, available from our sites below. Both are free. Regards, Zvi Netiv ....................................................................... NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 Developer & Producer of InVircible Web page: http://invircible.com/ E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 Ftp sites: ftp.datasrv.co.il/pub/usr/netz/ ftp.invircible.com/invircible/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Tue, 23 Jan 1996 07:02:11 -0500 (EST) From: Zvi Netiv Subject: Re: Need help: AntiEXE virus (PC) X-Digest: Volume 9 : Issue 9 Networking wrote: > If anyone has any info on how to get rid of this one, I'd appreciate > it. It affects the boot sector and the Norton Virual Protector > crashes on me. Freezing the system on finding a virus in memory isn't such a good idea, as you can see. NAV expects that you boot clean your machine before disinfecting AntiEXE. If you have a clean boot floppy then boot from it and use NAV from your hard disk to disinfect. A couple of methods how to disinfect AntiEXE from a hard drive without booting clean: 1. Use this one only if you are sure that it's AntiEXE (and not Monkey, for example), you are running DOS 5 or later or Win95, exclusively (no OS/2 Boot Manager). Press F5 when starting DOS (F8 in case you run Win95) to bypass the config.sys and autoexec and prevent NAV from locking your machine. When at the C: prompt, change to the DOS directory and run FDISK/MBR, then reboot normally. Although AntiEXE is a stealth boot-partition infector, it stealthes only the read function of interrupt 13h (used for reading and writing to disk sectors), but not the write function. Useful to remember, since AntiEXE is probably the most prevalent virus now. ;) When done with the infection on the hard drive, you may wish to replace your antivirus to a less aggressive one. A virus in your computer isn't the end of the world and not worth too drastic measures. 2. Download InVircible from one of the sites in my signature, run IVINIT and follow instructions. It will remove the virus automatically. [Moderator's note: Zvi--didn't you forget to mention this only works if you have a "standard IDE" adaptor/hard-drive combination?] Don't forget checking all floppies, some are surely infected. FixBoot from the IV package processes floppies automatically, in batch. It will even preserve bootability of your boot floppies, Win 95 inclusive. Regards, Zvi Netiv ....................................................................... NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 Developer & Producer of InVircible Web page: http://invircible.com/ E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 Ftp sites: ftp.datasrv.co.il/pub/usr/netz/ ftp.invircible.com/invircible/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Tue, 23 Jan 1996 13:48:35 -0500 (EST) From: Had 25 Subject: telecom 2 virus (PC) X-Digest: Volume 9 : Issue 9 While using the virus scan feature in Winzip, I came across an infection of the telecom 2 virus. I tried to eleminate it with McAfee windows program but the virus didn't show up and isn't on the list included with it. How serious is it and what the heck should I do about it? ------------------------------ Date: Tue, 23 Jan 1996 08:42:10 -0500 (EST) From: Bruce Peck Subject: Is this a virus? (PC) X-Digest: Volume 9 : Issue 9 An administrator at a remote site in my company reported these conditions on some of her PCs and cannot find evidence of a virus by using the latest versions of Norton, McAfee, F-Prot, and Thunderbyte. In a population of about 50 PCs on a Novell network, 5 or 6 of them will on occaision have trouble booting with the result being a screen full of random ascii characters and the PC locks. A hard boot is required and may take 2 or 3 tries to sucessfully boot. The problem may not surface on this PC again for several weeks or even a month or two. The PCs are all Compaq but are different models and were purchased at different times. These symptoms did not appear all at once. First it was only one PC and then others began showing this problem over about a years time. Could this be some sort of virus? Is there another technique we should use to help determine what this is? Bruce_Peck@aici.com ------------------------------ Date: Tue, 23 Jan 1996 07:13:56 -0500 (EST) From: "S. Widlake" Subject: Re: F-PROT: Request for Help (PC) X-Digest: Volume 9 : Issue 9 In article <0021.01I094E1DXW0OK8IBB@csc.canterbury.ac.nz> "Shankland, David B RV" writes: >We have an installation of over 1500 PCs on Novell file servers, and >are having difficulty installing F-PROT for Windows (V 2.19a.1) and >Dynamic Virus Protection (DVP--runs in background under Windows) with >a pilot group of engineers. Each PC is configured somewhat >differently, and the PC users have said that they cannot install these >products without memory contention, system hangs, and random reboots. We have got lots of PC's (and other computers too) and required an anti-virus product that could be made available to all of the PC users. We descided to go for F-Prot and tried to register the _shareware_ version for all of our PC's. Nope - Frisk Software in Iceland said that registration wasn't available in the .UK and we must purchase the "pro" version from a local distributor. All of a sudden, the price shoots up - ten fold - but we get "more" for our money... ^^^^^^^^ [ Another post tomorrow, perhaps ] F-Prot for DOS and VIRSTOP - PLUS a toolkit for windoze with Dynamic Virus Protection and something called Gatekeeper. The point is that: 1) We didn't want all of this additional stuff. 2) It made windoze much more unstable (and slower). [ You might have guessed that I'm not a great fan of windoze but everyone and his dog uses it. ] Removing all of this extra stuff made most of these problems just go away. 3) When I tested it with a REAL infectious nasty it just didn't work ! It was supposed to provide active protection against all(?) known viruses including polymorphic ones - although we have never even seen one of those - but it failed a much more simple test and let a known virus straight through. [ Snip ] >Is there any way to ensure that PC users have, first of all, installed >F-PROT for Windows, and secondly, that they are using/running Dynamic >Virus Protection (DVP)? We have been unable to determine how the >utilization can be required and enforced. >What have other large companies done with F-PROT for Windows and DVP? >Is there any logging that monitors this situation? Pass - But for my 37p worth I'd just say that you probably don't really need these extras. The windoze interface looks quite nice, though a bit over complicated for the average user, but viruses are in general a BIOS/DOS problem and the first thing that gets affected is often windoze - it simply won't start ;-) The only thing that's missing is perhaps a windoze routine that "intercepts" VIRSTOP's "let's-scramble-the-screen-whenever-it encounters-a-BIOS/DOS-virus" function and instead pop up a real windoze alert box. Anyway, F-PROT [ without the "pro" stuff ] get's my vote as the second best (and still the cheapest) single anti-virus package. >Your input will be appreciated. Really ? Glad to see that this group is at long last back on-line - many thanks to the moderators old and new - though am already rather disappointed with the amount of junk being posted... [Moderator's note: I'm working on it... Right now I'm still battling some very odd, persistent bounces. Hopefully by the end of this week I'll have all my mechanisms in place for dealing with submissions that are FAQs...] Say, how's about spitting the group into comp.virus - moderated just to discard "harmful" posts - and "comp.virus.tech" for just the more technical discussions for Vess. et. al. Just a thought. [Moderator's note: Should we call this "technical" list Vesselin-L?? 8-) ] S.;-) D1I - -- sig II Found and Restored ... ------------------------------ Date: Tue, 23 Jan 1996 06:19:45 -0500 (EST) From: Bill Moblin Subject: TBWEEDER - A duplicate file checker (PC) X-Digest: Volume 9 : Issue 9 I'm looking for a program called TBWEEDER, a duplicate file checking utility - it's written by the same people who produce ThunderByte Anti-Virus, so I figured this would be a good place to ask about it. If you have any information on where I might find a copy of this program let me know... Please cc: bmoblin@moblin.iexpress.com when responding to this message beacause I don't follow this newsgroup regularly... Thanks! Bill ------------------------------ Date: Tue, 23 Jan 1996 07:02:09 -0500 (EST) From: Zvi Netiv Subject: Re: Disk/file corruption virus related? (PC) X-Digest: Volume 9 : Issue 9 Paul Kiar wrote: > we currently are having problems with a virus at our high school > it trashes win.com to 143 bytes, renames directorys, trashes boot files, > beeps and displays ascii and suddenly clears the screen at boot up. All > of these things happen randomly and it has infected about 20 computers. > Most of the virus chechers I have tried I downloaded straight from the > internet in the past few days and they cannot detect or remove it. Insufficient information to give you a meaningful diagnosis. Download InVircible from one of our sites or from our Website (below), install it to the affected machines and tell us what it finds when running spontaneously. A detailed analysis will follow, with guidance how to proceed. Regards, Zvi Netiv ....................................................................... NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 Developer & Producer of InVircible Web page: http://invircible.com/ E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 Ftp sites: ftp.datasrv.co.il/pub/usr/netz/ ftp.invircible.com/invircible/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Tue, 23 Jan 1996 12:02:12 -0500 (EST) From: Steven Hoke Subject: Re: Need info on MONKEY_A virus (PC) X-Digest: Volume 9 : Issue 9 William R. Mangan, Jr. wrote: > > I recently ran across the virus MONKEY_A on several diskettes from > another department. I was able to clean the virus (using McAfee > VirusScan 2.2.9), but I can not find any information from VSUM 507 on > this particular virus. > > If anyone has any information concerning this virus, please email me at > mangan@chplab.chp.edu I would get a copy of F-Prot (the current version is 2.21). Besides being free for personal use, and very reasonable for corporate licensing (which sounds like you would need, being a systems analyst), it has a very good description of Monkey, and various ways it can be removed in the Virus/Information section of the program. - - - -==Steve==-- shoke@northnet.org steven_hoke@msn.com ------------------------------ Date: Tue, 23 Jan 1996 15:53:25 -0500 (EST) From: "Siew y. Lim" Subject: RE: VET as an anti-bugger (PC) X-Digest: Volume 9 : Issue 9 well ... my 2-cents on Vet ... > a) Know anything really good about it (eg you've tried it and it's > great) IMHO it's a very good antivirus prog. I would rate it on par with f-prot and dr. solomon ... not that i know a lot of anti-viru prog before. It's fast. And can iden most of the virus i've got ... my friends who have used it constantly recomends it to me. It's from an Australian Company. > b) Know anything really bad about it (eg. you've tried it and it's > stuffed up your system) Nope, haven't met any problem before and none from my friends who are also using this antivirus sw. > c) Know the latest version number Can't help you tere .. i myself do not have the latest one. I am not a regis user. And am now using f-prot. [ I wanna use this apportunity to THANK Frisk for making it available My utmost Thanks! *bow* It's GREAT! ] I do however have some stats on Vet ... they are :- In Wild Boot Sector Standard Polymorphic VET V7.825 95.2% 100% 98.3% 98.6% The stats are quoted from Jan 1995 issue of a UK Virus Bullentin Mag It was the top rater of the list BUT both F-prot and Dr. Soloman Antivirus TK wasn't IN the list i had ... so i duuno which fared better. [ Note: I don't know how accurate the stats are and there are released by Cybec ... so ... ] PS: by the way, anyone wanna help me on some news posting knowhow ? How do i directly post a news from tin (UNIX) ? what i am currently doing now is copy a post ... type my reply .... then use Pnews ... which isn't convenient at all since i have to add in the '>' and misc stuff. Any help greatly appreciated. thanks! :) PS2: A question. If i was able to SAVE my MBR into a file ... and upon detecting a MBR virus ... if i BOOT from clean disk ... then load back MBR info from file ... will that do the job ? OR do i still have to use an antivurs to clean virus from HD ? I was assuming since virus (MBR) writes itself unto original place of MBR won't be writing back the original MBR erases the virus ? If the above doesn't work ... does it mean that IF one don't have a antivirus that can handle a particular MBR virus ... THEY can never remove the virus ? Oh ya! i remember in the FAQ i came across usinf FDISK /(something) that can help in this situation. Is this a fullproof plan ? If i use this option, will everything in my HD stay the same (no data loss) [Moderator's note: Re-read the FAQ and read it -carefully-. The FDISK "trick" is -far- from foolproof.] SOrry for asking sooo many questions ... i have little knowledge in this kind of stuff. Thanks for any help! Yours CLAMPfully, LSY the seeker of knowledge ------------------------------ Date: Tue, 23 Jan 1996 16:04:52 -0500 (EST) From: Mikal Ziane Subject: Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC) X-Digest: Volume 9 : Issue 9 Thanx to all who emailed me about the free virus scanners. Please do not answer any more. (for some reason I can't cancel the original article) [Does "moderated group" mean anything to you?--Moderator] Mikal ------------------------------ Date: Tue, 23 Jan 1996 19:18:29 -0500 (EST) From: Mike Ashcraft Subject: F-PROT: Request for Help (PC) X-Digest: Volume 9 : Issue 9 Someone (from UNISYS I think) asked how to force everyone to run some type of active tsr type virus protection on DOS machines. In a Novell environment you can put it in the System login script. Some users may figure out how to get around it but most will end up running it on every reboot. This is what we have been using for the past few years. We have been able to prevent infection in this manner. All PC's were configured to automaticaly connect to the server, run scan, load vshield and then login. This caught lots of viruses that came in on diskettes from clients. We also prevented them from skipping these steps by putting windows on the server instead of locally. As long as they had a local swap file performance was still good. I havn't tried this with WIN95. Other than that, you could use some CMOS type protection and then password the CMOS so they can't turn it off. But this can be compromised as well. If users have physical access to their machine they can do just about anything. - - Mike Ashcraft, Network Engineer Ameritech Library Services msa@amlibs.com ------------------------------ Date: Wed, 24 Jan 1996 02:23:40 -0500 (EST) From: Roland Geier Subject: parity boot b? (PC) X-Digest: Volume 9 : Issue 9 A friend of mine discovered a virus named "parity boot b" on his system. Does anybody know the effects of this species? - -- Roland. - -- Roland Geier Phone: ++49 (851) 509-3107 Universitaet Passau, GER Fax : ++49 (851) 509-3102 Lehrstuhl Prof. Dr. Donner geier@forwiss.uni-passau.de D-94032 Passau http://www.uni-passau.de/~geier/ ------------------------------ Date: Wed, 24 Jan 1996 03:45:34 -0500 (EST) From: David Savill Subject: EXE_BUGD -bad news- (PC) X-Digest: Volume 9 : Issue 9 Im writing to warn about a variation of EXE_BUG D or W-BOOT virus (Im not sure which). It infects the boot sector if you boot with the infected disk in the drive (otherwize dormant). At the time I was using F-PROT 2.19a and it did not pick it up at all!!! After infecting the boot sector I found it screwing up the disk drives (if it was detected. And it seemed to stop F-PROT from fixng it. Those using drive overlays watch out, this little bugger seems to only be gone if you format the boot sector (sometimes it still survives that.) For more info on what it does mail me and i'll tell you. Mousebender =:) ------------------------------ Date: Wed, 24 Jan 1996 09:27:53 -0500 (EST) From: George NG Subject: Re: Need help: AntiEXE virus (PC) X-Digest: Volume 9 : Issue 9 You can remove it with McAfee Antivirus software with the /BOOT /CLEAN option. This should remove the virus from your harddisk. ------------------------------ Date: Wed, 24 Jan 1996 10:56:37 -0500 (EST) From: JAMES ERIC BREWSTER Subject: Re: McAfee upgrades? (PC) X-Digest: Volume 9 : Issue 9 On 21 Jan 1996, Chengi J. Kuo wrote: > I too would appreciate hearing what people actually do, as I am > pretty close to this process. :-) > > But my official statement is, download the DAT only ZIP. Use it. > Read the WHATSNEW.TXT to decide if you feel that the changes to > the executable affect you before downloading any of the complete > packages. I usually download the DAT files....except that one time when the files were changed so much that I had to download a new version of VSHIELD. If there are no other surprises, I'll continue to get those DAT files as fast as they come out. :) Eric ------------------------------ Date: Wed, 24 Jan 1996 14:13:48 -0500 (EST) From: Shane Coursen Subject: Re: Quality Anti-Virus Programs (PC) X-Digest: Volume 9 : Issue 9 In article <0003.01HZYA48QBV6OK6LW4@csc.canterbury.ac.nz>, donnegan@world.std.com says... > >Is there any single anti-virus package that's regarded as head and >shoulders above the rest? I've used McAfee and am trying Thunderbyte >and am just wondering what other packages are around that are >considered good. Not too interested in Norton. > [snip] If anybody says their package is better than everybody else's you can pretty much ignore their claims. I do not believe that you can get a solid answer here. There are just as many good AV packages as there are not-so-good AV packages, but you will find that each will have its strengths and weaknesses. You may also find that, depending on mfg. location, each package may detect a different number of viruses. This is not necessarily because the package is any better or any worse than its overseas counterpart; it usually is because the overseas counterpart may not have access to the same sample base. I could go on, but instead I'll make a sugesstion...Pick up some differenet magazines that have performed independent reviews of the various AV packages. Pay close attention to how the review was performed, as the methods are not all equal (many are downright flawed!.) - - Shane Coursen Symantec Corporation Computer Virus Researcher http://www.symantec.com/avcenter/avcenter.html AntiVirus Research Center CIS: GO SYMWIN scoursen@symantec.com GO SYMNEW US Support: 541-465-8420 AOL: SYMANTEC European Support: 31-71-353-111 Australian Support: 61-2-879-6577 ------------------------------ Date: Wed, 24 Jan 1996 17:38:53 -0500 (EST) From: Wayne Riddle Subject: Re: Mysterious hidden files. Virus? (PC) X-Digest: Volume 9 : Issue 9 Mark Saison Gibson wrote: >Is this a virus? And if so, what can I do about it? Please be patient >with me because I am something of a newbie as far as PCs are concerned. Download one of the anti-virus programs available on the net. http://www.nha.com has links to many shareware/freeware anti-virus programs. You might want to take a look at ThunderBYTE, Dr. Solomon's, AVP, or F-Prot. Wayne Riddle riddler@megalink.net [Moderator's note: Dr. Solly's product is not free/shareware, though recently they've been making time-limited "free to evaluate" copies of a part of their entire suite of AV products available.] ------------------------------ Date: Wed, 24 Jan 1996 20:02:19 -0500 (EST) From: psterling@i2020.net Subject: Re: Mutagen Virus found on CD (PC) X-Digest: Volume 9 : Issue 9 In article <0034.01I0AAP9YODQOK8IBB@csc.canterbury.ac.nz>, writes: > > >> I received a Cd for christmas titled "When Two Worlds War". When I > >> started to run it Norton Anti-Virus told me one of the files contained > >> the mutagen Virus. I checked the CD twice and everytime I get the same > >> warning. > > > This is a false-ID. We've repaired the signature, so next month's > update will not false-ID. It's nice to see that symantec takes more of an interest than Sierra does in its product. Even if it was a false alarm they could have let me know. ------------------------------ Date: Wed, 24 Jan 1996 22:21:42 -0500 (EST) From: Richard Bodor Subject: RE: F-PROT: Request for Help (PC) X-Digest: Volume 9 : Issue 9 >From: "Shankland, David B RV" Portions snipped for brevity > Part of my dilemma is that we are required by >ISO-9000 auditors to have automatic virus detection on all PCs. To >quote the audit finding: "Need for automatic virus detection to be >installed and maintained on all machines in a controlled way." I found (in our own ISO-9001 audits) that Diskette Control could be provided by installing a low cost (previously owned) unit available for each department (or at key locations eg. Front Lobby). Running on this device is a trusted scanner (in our case - F-Prot). All employees are to scan diskettes brought in or carried out of the building. All alarms are recorded in a log and documentation provided. We have not had an infection from our engineering department since - and the auditors were satisfied. This is should only be a problem if your engineers are bringing executables into the building - a questionable practice. Bottom line - ISO-9001 is a DOCUMENTATION issue. Whomever provided your audit should be questioned about this aspect. I have asked our own auditors, and they insist that this should not be part of ISO audit results. I guess that doesn't help much, but >Is there any way to ensure that PC users have, first of all, installed >F-PROT for Windows, and secondly, that they are using/running Dynamic >Virus Protection (DVP)? We have been unable to determine how the >utilization can be required and enforced. Following the above preventative method, submit the software to a responsible person. Our engineering department has some control over software purchases (we don't want 40 different word processors), and it is a small step to have the software checked before it's installed on a machine. The need for each machine in a 1500 networked environment to run a background scanner is excessive. >What have other large companies done with F-PROT for Windows and DVP? >Is there any logging that monitors this situation? In our environment, a sheet is filled out for each diskette that is scanned (only about 1 or 2 a week) with the date and the results of the scan. No gestapo tactics (shucks) and the we've successfully passed several audits. Good luck with your project Ein seliger sprung in die Ewigkeit [Moderator's note: I meant to say earlier, the original poster should look in the fine FAQ for this list/group, as it covers some of these issues and talks about protection policies. A possible solution that obviates the need for general workstation scanners may be to look into "disk net" technologies.] ------------------------------ Date: Wed, 24 Jan 1996 22:23:44 -0500 (EST) From: TGrant Subject: Re: anti-cmos.a (PC) X-Digest: Volume 9 : Issue 9 Rick Conners wrote: >Does anyone have any info on a virus of this name (or something like it)? >If so, please send me E-Mail (rconners@interaccess.com). I just discovered today that two of our computers at work had the Anticmos A Virus. We removed the problem with McAffee Virus Scanner. ------------------------------ Date: Wed, 24 Jan 1996 22:26:01 -0500 (EST) From: "Jeoffrey D. Regino" Subject: What does SHZ do? (PC) X-Digest: Volume 9 : Issue 9 My computer (PC) is infected by this SHZ virus. I have tried to run several scanners but they just can't seem to remove it. I just want to know if a) it can do any damage to my PC. And if it can, b) what does it do and c) how could I get rid of it? ******************************** * Jeoffrey R. Regino * * jregino@zeus.engg.upd.edu.ph * ******************************** ------------------------------ Date: Thu, 25 Jan 1996 04:12:26 -0500 (EST) From: Ginger Haskins Subject: HELP (PC) X-Digest: Volume 9 : Issue 9 I need assistance identifying a virus. Any help would be appreciated. While doing an install to my hard drive NAV alerted me that something was attempting to write to the diskette. This was at a point in the installation that nothing should have been writing to the diskette. After the installation failed (it was Windows 3.1) I started investigating. I have the following information: When I boot from a diskette and try to access the C drive I get Invalid Drive. I ve tried this with 3 different boot diskettes FDISK reports a 126 meg. non dos partition on the hard drive. I actually have an 850 meg HD with a DOS partition. When I download EXE files from the Internet they grow by about 25-33 Kb on my hard drive. TXT files are fine. Other than that, the hard drive boots up fine and all programs are running but logic tells me that I can t ignore these warnings. I have a good deal of experience with viruses and computers. I m trying to get the latest update files for NAV but, obviously, can t use my computer to download them. I tried calling the Symantec BBS today and got no answer. Maybe someone has another number I can dial in on or knows another BBS to download from. I need to get the files from a BBS as I don t have access to another PC that s set up to dial into the Internet. Since I cannot boot from diskette I am prepared to remove the non-DOS partition and reinstall but I need to identify the virus before I do so in order to check my diskettes before reinstalling. If anyone can identify this virus or give suggestions on how to obtain a virus software with recent updates from a BBS, I would really appreciate it. Please e-mail - GHaskins@ix.netcom.com Thanks, Ginger Haskins [Moderator's note: You clearly have an MBR virus and one that "diddles" your partition table in some way. Whatever you do, DO NOT try the FDISK /MBR "fix" that many idiots blythely recommend for any suspected MBR infection. Best option is to find an alternative BBS or Net access machine and get your NAV updates and/or d/l a freeware or shareware scanner. Another option would be to purchase another good commercial.] ------------------------------ Date: Thu, 25 Jan 1996 06:26:11 -0500 (EST) From: Keh Ngen Fatt Raymond Subject: Re: DH2 Virus (PC) X-Digest: Volume 9 : Issue 9 :Stranded (sysop@thomson.po.my) wrote: : Can anyone tell me how to kill :DH2??? and it infect Win95 files? Pkzip all the infected files using recursive subdirectory option booting up from a clean hard disk and Unzip it again. I think it will infect win95 files as well. Raymond Keh ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 9] ****************************************