VIRUS-L Digest Monday, 5 Feb 1996 Volume 9 : Issue 14 Today's Topics: A Virus found, can anyone identify? (PC) Re: SMILING virus, help please. (PC?) Re: Monkey B / Monkey 2 (PC) B1 virus - what else can it do ? (PC) Re: How to remove "Ekaterin" virus ? (PC) Re: McAfee says: F-prot contains VCL-virus ? (PC) Help with Natas virus (PC) Re: McAfee says: F-prot contains VCL-virus ? (PC) Re: TB1 Virus (PC) MtE Virus (PC) Re: SMILING virus, help please. (PC?) Re: SMILING virus, help please. (PC?) Re: KOH in Mainstream Press (PC) Re: Anti-CMOS Virus? (PC) Re: How to remove "Ekaterin" virus ? (PC) Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC) Re: TB1 Virus (PC) Re: Virus:MONKEY_B + FORM_A (PC) Re: Mysterious hidden files. Virus? (PC) Re: B1 virus? (PC) Re: How to remove "Ekaterin" virus ? (PC) Re: Info about Form-A (PC) Re: McAfee says: F-prot contains VCL-virus ? (PC) Re: Anti-CMOS Virus? (PC) Re: Monkey B / Monkey 2 (PC) Re: I LOVE (PC) Re: KEEPER-LEMMING (PC) Re: SMILING virus, help please. (PC?) Re: KOH in Mainstream Press (PC) Re: How to remove "Ekaterin" virus ? (PC Mutagen Stealth Boot Virus? (PC) NAtas Virus (PC) SUSPECTED VIRUS FOR WordPerfect? (PC) Re: Need help: AntiEXE virus (PC) Re: Info about Form-A (PC) Ripper and NYB (PC) Re: Need info on MONKEY_A virus (PC) Help with Stoned.empire.monkey (PC) MTE COFEESHOP Virus (PC) Chinese Fish virus (PC) Help...Is this a virus? (PC) 69 Virus (PC) Re: Anti-CMOS Virus? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CS.UCR.EDU. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 29 Jan 1996 17:35:32 -0500 (EST) From: Jurgen Schwietering Subject: A Virus found, can anyone identify? (PC) X-Digest: Volume 9 : Issue 14 I've encountered a problem with a possible virus on a portable PC (of a friend). It has been activated today (29 Jan 96) and already in the past at 29 Oct 95 (The computer hasn't been used on 29.11, this is shure because their is a programme which keeps track of using the computer, but on 29.12 without any damage. One floppy used by the person had the Bye-Virus on it (F-PROT from 1.96 has found it), but it's not on the machine itself, because the Virus destroyed the bootsector and some directories. So I'm not shure if it has been the BYE-Virus or an unknown species. Destroying data is done by changing some bytes in the disk-pages: Space --> $ S --> T H --> L A --> E R --> V K --> O C --> G B --> F I --> M P --> T S --> W P --> T Maybe it's a case, but recombining some letters gives SHARK, ... Someone knows a programme which identifies this virus? Please inform me by email: tweety@torino.alpcom.it Thanks a lot Jurgen ------------------------------ Date: Mon, 29 Jan 1996 20:54:25 -0500 (EST) From: MR HENRI J DELGER Subject: Re: SMILING virus, help please. (PC?) X-Digest: Volume 9 : Issue 14 > I ran a file "laugh.exe" that I down loaded as "piss.zip" from a binaries > newsgroup and it printed on my screen "Your partition table is now > infected with the smiling virus". I ran the file from a floppy disk, so > is that virus on the hard drive? Is it real? How do I get rid of it? I'm updating my previous reply, for two reasons. First, I believe we're going to see more posts relating to this particular virus, because the person above is correct. A "LAUGH.EXE" file (a Trojan horse "dropper" program), which contains the virus known as Smile, or Yesmile.5504, was evidently posted to at least one alt.binaries.* Newsgroup. Secondly, some current anti-virus software is unable to detect this virus correctly and/or to remove it. The virus infects EXE and COM files (including Command.com) and also infects the Master Boot Record (MBR) of hard disks. It is also stealth, thus able to conceal its changes to files and the MBR while in memory, and can produce a shrill laughing sound. One way to get rid of it is (of course) to power down and re-boot from an UNinfected system boot diskette. F-Prot 2.21 can be used to remove the virus from files; it does a perfect job, as far as I can tell. However, F-Prot 2.21 cannot remove this virus from the MBR, so one alternative is to use FDISK /MBR for that. The usual caveat applies: FDISK /MBR is an undocumented DOS command, available in DOS5 and up. It rewrites the Master Boot Record code in the first sector of the hard disk, without affecting the hard disk's partition table data, also contained there. This command will not do any harm ordinarily (=if= you are able to access the hard disk normally, after booting from a bootable disk). =HOWEVER= IF you canNOT access the hard disk after so doing, do NOT use FDISK /MBR. Once the virus is confirmed by a further scan as no longer being on the hard disk, check for the virus on diskettes, in backups, and in compressed files, etc., and don't forget to delete the down loaded file mentioned above, which started it all. Regards, Henri Delger http://pages.prodigy.com/X/W/A/XWWC29A email: henri_delger@prodigy.com ------------------------------ Date: Mon, 29 Jan 1996 21:24:53 -0500 (EST) From: "Paul E. Sullivan" Subject: Re: Monkey B / Monkey 2 (PC) X-Digest: Volume 9 : Issue 14 Neeraj Murarka wrote: > > Hi. I have the Monkey B / Monkey 2 Virus on my Hard Drive. How can I > clean it off? The scanners all quit when I run them, saying that I should > boot off a clean system disk, and then rerun the virus scanner to clean > off the virus. But the problem is, this virus, when on a Hard Drive, will > not allow the Hard Drive to be accessed when you use a clean boot disk. > So how do you get rid of the virus? The McAfee documentation says that > the virus is removeable. This is a boot sector virus. How do I get rid of > it!?!?! Help! You should put your McAfee s/w on a floppy disk as well, preferably on the clean system disk you have if there's room enough. I had a similar virus (boot sector) and McAfee would not allow the anti-virus s/w on the hard drive to be accessed. When I ran it off a floppy after booting with a clean system disk, the virus was successfully removed. Good Luck. ------------------------------ Date: Mon, 29 Jan 1996 22:37:39 -0500 (EST) From: netnews@ix.netcom.com Subject: B1 virus - what else can it do ? (PC) X-Digest: Volume 9 : Issue 14 My computer had the B1 virus. I read on a websight that one of the symptoms was the read\write head on the floppy drive being sent back and forth very fast causing a loud 'banging' noise. Well, I had this problem but it was on my hard drive. At midnight, if the hard drive was being written to, my computer would lock up and the hard drive would start 'banging' . I had several diskettes infected also, one of which was left in the floppy drive on a reboot, therefore infecting the hard drive. I'm just wondering how common or rare is it to infect the hard drive boot sector and has anyone ever heard their hard drive "knock" ? It's not fun ! YYZ.@ix.netcom.com R.K. McSwain ------------------------------ Date: Tue, 30 Jan 1996 03:56:34 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: How to remove "Ekaterin" virus ? (PC) X-Digest: Volume 9 : Issue 14 Takashi Hirano writes: >A virus, "Ekaterin", was detected on the two PC of our section by IBMAV >software. > >We tried to remove the virus but failed. > >Does anyone know how to remove the virus, "Ekaterin".? >Any information would be appreciated. This goes by the CAROname of Russian_Flag (and I think it's .A). Just get an update to any of the AV programs. It's about at least half a year old and as far as I know, all the big names remove it just fine. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 30 Jan 1996 04:00:54 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC) X-Digest: Volume 9 : Issue 14 Koen Van de Velde writes: >I'm just wondering if this is al normal. > >This week I found the Form-A virus on one of my floppies, >as you can read in my previous posting. >I wanted to be sure that none of the computers are infected, >I started checking them with two different virus-scanners: > - McAfee Scan 2.2.9 (01-96) > - F-Prot v 2.20 > >Here's what happens: First I load f-prot and scan my hard-disk, >then I close it again and run the mcAfee-scan. This one stops >with the following message : [snip: Scan's message indicating traces of VCL found in memory] >So I did reboot my computer and re-run the McAfee Scan ... >It didn't find anything. I run the f-prot again, without scanning >anything, just start the menu and close it again. >When I now run the McAfee scan, it displays the above message again, >telling me there is a VCL-virus in my computer. A string which catches a lot of VCL viruses is being used by SCAN. For some reason FProt 2.20 was leaving this sequence of code in memory after it exited. Frisk and I sat together, looked it over and FProt 2.21 doesn't have that problem any more. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 30 Jan 1996 06:54:37 -0500 (EST) From: CHAN KWANG MIEN Subject: Help with Natas virus (PC) X-Digest: Volume 9 : Issue 14 Recently my harddisk was infected by the Natas Virus. Does anyone out there knows the method to get rid of this virus? Pls help. Thank you. Kwang Mien - - Fri, 04 Aug'95, 01:47:27AM ------------------------------ Date: Tue, 30 Jan 1996 07:00:52 -0500 (EST) From: Fridrik Skulason Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC) X-Digest: Volume 9 : Issue 14 In <0031.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz> Koen Van de Velde writes: >I'm just wondering if this is al normal. Well, it is a false alarm, reported by Scan....I guess some people would call that normal :-) What happened was that SCAN picked up a piece of code in F-PROT which has nothing to with VCL...and incorrectly "identified" it. Although this was not really our problem, we fixed it in 2.21, simply by swapping two lines in the program code. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Tue, 30 Jan 1996 07:03:02 -0500 (EST) From: Fridrik Skulason Subject: Re: TB1 Virus (PC) X-Digest: Volume 9 : Issue 14 In <0032.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz> Ron Bombard writes: >Anyone have any info about the TB1 virus? TB1 is not the standard name of any virus....if this was found in just a single file, it was probably a false alarm. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Tue, 30 Jan 1996 09:13:54 -0500 (EST) From: Robert Selby Subject: MtE Virus (PC) X-Digest: Volume 9 : Issue 14 Using F-Prot 221, I have found the MtE virus on a computer disk I was preparing to send to over 100 other users. What is the MtE virus and what does it do? How do I get rid of it? [Moderator's note: MtE is not a virus, per se, but a polymorhic encryption engine that can be linked into a virus. If a scanner only reports detecting MtE it most likely means that you have found a new MtE- based virus. As MtE is only the encryption engine, the effects of the virus are unknown to the scanner/disinfector so it most likely cannot be disinfected. Contact your local agent or F-PROT's authors and discuss this further with them.] ------------------------------ Date: Tue, 30 Jan 1996 10:56:54 -0500 (EST) From: "M.Torr" Subject: Re: SMILING virus, help please. (PC?) X-Digest: Volume 9 : Issue 14 I would think that running this file from floppy disk would have has no real affect on your harddrive (unless the virus specifically searches for the FAT table on the harddrive which I do not believe it does) Running it from floppy was the best thing you could have done : [Moderator's note: This contradict's the usually very reliable Henri Delger's inormation, posted earlier. I'm not sure I share Mark's confidence in this...] A note in the future is to be very careful what you download from outside sources since many viruses are released by placing them in areas as shareware or small utilities. [I agree with the caution, but question "many"--do you mean "10 ever", "10 per year", "10 a month"? -- Moderator.] Mark. ------------------------------ Date: Tue, 30 Jan 1996 14:51:32 -0500 (EST) From: Lee Brown Subject: Re: SMILING virus, help please. (PC?) X-Digest: Volume 9 : Issue 14 On 29 Jan 1996 12:25:47 -0000 , bsw@cris.com wrote: >I ran a file "laugh.exe" that I downloaded as "piss.zip" from a binaries >newsgroup and it printed on my screen "Your partition table is now >infected with the smiling virus". I ran the file from a floppy disk, so >is that virus on the hard drive? Is it real? How do I get rid of it? Ouch!!! Firstly, you should never execute anything without checking it with a virus scanner. You don't need to pay for a top of the range virus scanner you can Freeware ones from the net. Okay now I did a bit of a search on the smiley Virus and this is what I can up with:- SMILEY.1983 is not in the field, but it could be in the future. It is somewhat infectious, and results in moderate damage (disk trashing). COM and EXE files are infected. The virus has a memory-resident payload. It has minimum stealth capability. This virus is not encrypted. The virus plays tricks with the screen. So what this is saying, is that the virus has not been sighted for a long time - so it looks like you are one of the first to re introduce it back into the computer world. You must now check any disks you used during the infection, make sure they are not infected then if they are, get rid of them!! If you do not, then you will be passing this virus to your friends and other people who use your disks :( As I said, don't panic!! most of the damage done these days is not by the virus itself but the user Panacing!! be calm and download a virus scanner, trial version or freeware, then follow the instruction carefully. Or check out my other thread that I responded to and follow the same procedures!! Regards. ********************************* lee.brown@ukonline.co.uk ********************************* ------------------------------ Date: Tue, 30 Jan 1996 16:30:57 -0500 (EST) From: Doug Muth Subject: Re: KOH in Mainstream Press (PC) X-Digest: Volume 9 : Issue 14 In article <0008.01I0LP9POC0OPCQYD3@csc.canterbury.ac.nz>, Tom Simondi writes: : Boardwatch Magazine, January 1996 issue, pg 78 published a very : favorable article about the KOH virus ("The Other Side of Computer : Viruses" by Wallace Wang). A few random short quotes: : Wang goes on to then describe the KOH virus in glowing terms as : the savior of data from prying eyes the world over: "The KOH : virus insures that all of your data is protected, not just the files : you remember to encrypt." And, then goes on to describe how : harmless it is ("...buy the actual assembler source code and make : sure...") and where to get it. Oh man, just what we need, another moron who thinks that a virus has to be used instead of a non-replicating program. Hasn't he ever heard of PGP at all? : The fun part comes when Wang says all sysops should use KOH to : protect their computers because the United Nations "...might break : down your door one day and haul your computer away...." Again, that's what most of us tend to use PGP for. :-) : If you run a help desk and your users read this article and actually : install KOH, expect your calls to go way high. While KOH has : interesting properties, if someone forgets their password you have : real problems; and if the virus is allowed to move from machine to : machine, you can have worse problems. Despite what the article says, : KOH is dangerous, if for no other reason than people simply won't : read the documentation that comes with it. Your corporate data is : at risk if you let this beast loose. Take it from one who actually : ran it for several months just to see. It was not as benign and : "user friendly" as this article would have you believe. This is just as bad as the case of that company that allowed Yanke Doodle to have free run of their systems so that "the song reminds employees of quitting time". It seems to me that the only people who want to RELY on replcating based applications are those who are too lazy or too stupid to install software on their own. Regards, - - - ------| Finger dmuth@oasis.ot.com for - -----| PGP public key and geek code Anti-virus software and utils: | The Transformers fanfiction: ~dmuth/virus/virus.html | ~dmuth/tf/tf.html ------------------------------ Date: Tue, 30 Jan 1996 17:34:32 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: Anti-CMOS Virus? (PC) X-Digest: Volume 9 : Issue 14 Simon Grant writes: >My hard drive has just been diagnosed as being infected with an >"Anti-CMOS" virus on it. I hadn't heard of this type of virus before, >and McAffee couldn't even detect it. The only issue with AntiCMOS I know about is where a couple other products detect its presence on a floppy disk and we don't. It happens that we detect it just fine and that's a known false id scenario. What product did you use that said you had AntiCMOS? >Can anyone tell me something about these things? It spreads. It has code to mess with CMOS that never executes. >Is it possible to recover the non-currupted sections of my hd? What corrupted sections? Please describe in more detail. Somehow I don't think it's related to AntiCMOS since AntiCMOS generally doesn't do that (other than the MBR). If it's just the MBR, you can FDISK /MBR. But as I was saying, I don't think this is your problem. Jimmy cjkuo@mcafee.com [Moderator's note: Simon--don't be tempted to try FDISK /MBR -unless- you have read and understood the warnings about its use in the FAQ!!] ------------------------------ Date: Tue, 30 Jan 1996 14:47:05 -0500 (EST) From: Lee Brown Subject: Re: How to remove "Ekaterin" virus ? (PC) X-Digest: Volume 9 : Issue 14 On 29 Jan 1996 12:11:56 -0000 , Takashi Hirano wrote: >A virus, "Ekaterin", was detected on the two PC of our section by IBMAV >software. > >We tried to remove the virus but failed. I'm probably teaching you to suck eggs here, but a good method I have found in the past is this:- 1. Find a clean (none infected) boot disk. 2. Switch of the Computer. 3. Place the disk into the drive. 4. Switch computer back on. 5. Run Dos based virus scanner to check memory!! What this does, is stop the computer from booting from the C drives boot sector, which is where the virus usualy jumps back to when the computer is switched off, that's why it is important to put the boot disk into drive A after you've switched off and not before, or what will happen is that the Virus will infect the Boot sector of the A drive, this will put you back to square one.. [Moderator's note: What Lee is describing is impossible, and shows an unfortunate lack of expertise -or- an overly strong desire to simplify things. Lee--how can a virus "jump back" to your boot sector (presumably "from memory") when your PC is switched off? By definition, if the PC is off, there is no power so, the virus can't be active or do anything. If you think it can detect that the power is going down, bad news--very few PCs have the necessary detection hardware for this, and the few that do are safe, because no viruses are known that target generally common UPS systems. What Lee is simplifying beyond recognition here is boot sector and/or MBR stealthing. Most of the rest of what Lee had to say needed to be taken with even more sodium chloride than this, so I've deleted it. The moral of this?? People, there are "real experts" who read this list/group and there is a real possibility that misinformation posted here will seriously damage something. If you think you know an answer, think again before responding--this isn't kidergarten anymore and there are people with dozens, hundreds, and more, computers hanging on your possibly authoritative-sounding replies. Lee happens to have picked my particular area of expertise to get wrong--I don't know all about computer viruses though, so will sometimes post incorrect info that will hopefully be picked up by others, but if this is acted on in meantime...] ------------------------------ Date: Tue, 30 Jan 1996 17:46:33 -0500 (EST) From: Vesselin Bontchev Subject: Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC) X-Digest: Volume 9 : Issue 14 > Well, ours (F-PROT) is free for individual use and costs one dollar > per machine per year for corporate use ($0.75 for educational > institutions). I guess that's cheap enough? :-) It has been pointed out to me that the "one-dollar" registration policy is available only for the USA, Canada, Australia, South America, and the German-speaking countries of Europe. In the other countries the corporate users of our product must buy the Professional version. Individual users are still allowed to use the shareware version for free - all over the world. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 17:50:28 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: TB1 Virus (PC) X-Digest: Volume 9 : Issue 14 Ron Bombard writes: >Anyone have any info about the TB1 virus? We located it on one of our >pc's during a virus scan when we first loaded the new Norton Antivirus >program. It didn't have any info about it though. Just named and removed. The "TB1 virus" is a corrupted file in a "reviewer's" test set (who shall remain nameless). It's a false id from NAV from one of their "summer '95" DAT sets. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 30 Jan 1996 19:04:55 -0500 (EST) From: Vesselin Bontchev Subject: Re: Virus:MONKEY_B + FORM_A (PC) X-Digest: Volume 9 : Issue 14 Steve Glick writes: > On a bootable floppy copy fdisk.exe. Boot from the floppy and > enter the command "a:\fdisk /mbr" this undocumented option > (/mbr) will rebuild the master boot record and hopefully get > that monkey off your back. This has worked on other pcs but I > have never tried this fix on a thinkpad. Note: /mbr will not > wipe your harddisk. > If this doesn't work try norton disk doctor from a bootable > floppy. NDD will also rebuild a corrupted Master boot record. First, as the moderator noted, using FDISK/MBR blindly is dangerous, as it can make your hard disk inaccessible and non-bootable. Second, in the particular case of Monkey, it *will* make your disk inaccessible and non-bootable. Fortunately, KillMonk3 will fix that. Third, the FDISK/MBR trick is COMPLETELY USELESS for removing a DOS Boot Sector infector like Form. Fourth, if Monkey + FDISK + user incompetence results in a trashed and inaccessible hard disk, NDD indeed will fix the problem - provided that the rest of the disk is a standard DOS partition. NDD happens to recognize DOS partitions by their DOS Boot Sectors. Unfortunately, when the Form virus infects the DBS, the latter stops looking as a DBS from the point of view of NDD, so the disaster is complete. At this point, the poor (l)user has to ask a virus-competent expert for help. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 19:10:48 -0500 (EST) From: Vesselin Bontchev Subject: Re: Mysterious hidden files. Virus? (PC) X-Digest: Volume 9 : Issue 14 Doug Muth writes: > : 1. There are 5 hidden files on the hard disk instead of the 2 one > : would expect. > > Any file can be hidden with the ATTRIB command. Heck, even > ThunderBytre Anti-Virus creates hidden files with its integrity data in > them. However, then he would have had dozens of hidden files, not just five of them. > Hmm...it sounds like system started formatting, and stopped > shortly thereafter with a "track 0 bad" error, (am I correct here?), at > that point, the disk should be unusable since it was not finished being > formatted. Actually, the formatting *is* finished - it is just the write operation of the boot sector, the FATs, and the root directory that has failed (any of them). > : 4. When a floppy disk is used in the disk drive, a hidden file > : subsequently is reported on the floppy by the chkdsk command. > Hmmm...this could be a possible companion infector; a virus that > creates hidden *.COM files with the same name as *.EXE files, the COMs > will be executed first, thus activating the virurs. Nope, a companion virus wouldn't create a companion body on an empty disk with no EXEs on it. > Might want to get a copy of F-Prot, a very easy to use scanner. This is always a good advice. :-) Besides, if he indeed has the virus I suspect (Byway), F-PROT will detect it. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 19:15:05 -0500 (EST) From: Vesselin Bontchev Subject: Re: B1 virus? (PC) X-Digest: Volume 9 : Issue 14 MR HENRI J DELGER writes: > "General Failure" messages may occur, and disk utility programs can be > deceived, reporting (erroneously) that the Boot Record is "invalid," that > the Media Descriptor Byte is "incorrect," and that File Allocation Tables > are corrupt. Unfortunately, correcting these non-existent errors will cause > data loss. Also, the virus will crash the system if a disk write is attempted around midnight. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 19:21:58 -0500 (EST) From: Shane Coursen Subject: Re: How to remove "Ekaterin" virus ? (PC) X-Digest: Volume 9 : Issue 14 In article <0048.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>, hirano@ti.com says... > >A virus, "Ekaterin", was detected on the two PC of our section by IBMAV >software. > >We tried to remove the virus but failed. Ekaterin, also known as Slydell, Russian Flag, or Ekaterinburg, is a boot sector and master boot record virus. It's only known payload is to display a Russian flag on August 19th. I am not sure if the IBMAV product can clean this virus, but according to Joe Wells (an IBMer), he said it should. Being that I am from Symantec, producer of Norton AntiVirus, I can say that NAV can both detect and clean. I suspect most other AV products will be able to as well. Russian Flag (what Norton calls it) has been reported in the wild for many months now. If worst comes to worst, a manual repair may also be attempted (although it is not recommended). According to the information I have, the original MBR is saved at pysical location 0,0,9. - - Shane Coursen Symantec Corporation Computer Virus Researcher http://www.symantec.com/avcenter/avcenter.html AntiVirus Research Center CIS: GO SYMWIN scoursen@symantec.com GO SYMNEW ------------------------------ Date: Tue, 30 Jan 1996 20:16:47 -0500 (EST) From: Vesselin Bontchev Subject: Re: Info about Form-A (PC) X-Digest: Volume 9 : Issue 14 Koen Van de Velde writes: > It is a floppy that I use to boot new pc's and install the network > software with. So I would expect that some of the PC's would be > infected too, but 'till now I didn't find a thing. Probably the disk got infected after the last time you have booted from it. Such disks are very sensitive; you should keep it permanently write-protected. > What I was wondering: is it possible for the Form-A virus to get on > our network (Novell Netware 4.1, VLM-client software) and if so, > how can I check/clean it ? Form is a boot sector virus and, as such, is unable to spread accorss a network. However, if you attempt to boot the server from an infected floppy, the virus will infect its hard disk. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 20:21:40 -0500 (EST) From: Vesselin Bontchev Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC) X-Digest: Volume 9 : Issue 14 Koen Van de Velde writes: > I'm just wondering if this is al normal. It is not. > This week I found the Form-A virus on one of my floppies, > as you can read in my previous posting. This is irrelevant to your problem. > I wanted to be sure that none of the computers are infected, > I started checking them with two different virus-scanners: > - McAfee Scan 2.2.9 (01-96) > - F-Prot v 2.20 > Here's what happens: First I load f-prot and scan my hard-disk, > then I close it again and run the mcAfee-scan. This one stops > with the following message : > <<<<<< > Virus data file V9601 created 01/04/96 13:06:49 > Scanning memory for viruses 288KB > Traces of VCL virus found in memory! Yep. It was a known problem between F-PROT 2.20 and SCAN 2.2.7. I had the impression that McAfee had fixed it from their side. Guess not. Oh, well, we have fixed it from our side. Get version 2.21 of F-PROT and the problem will go away. It is not a virus; it is two programs confusing each other. > Do I have an infected copy of f-prot Nope. > or is it just a conflict between > those to products that confuses me (or at least my computer). Yep. > Anywhay, > it means that some part of f-prot stays in memory after running ... > I'm wondering what that can be. One of the scan strings that SCAN uses to detect VCL is very short and happens to detect the part of our program which does the decryption of the VCL-encrypted viruses. It is not a scan string that is detected (F-PROT never leaves scan strings in memory unencrypted); it is part of F-PROT's code. We changed it in version 2.21. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 20:24:38 -0500 (EST) From: Vesselin Bontchev Subject: Re: Anti-CMOS Virus? (PC) X-Digest: Volume 9 : Issue 14 Simon Grant writes: > My hard drive has just been diagnosed as being infected with an > "Anti-CMOS" virus on it. I hadn't heard of this type of virus before, > and McAffee couldn't even detect it. McAfee's scanner does detect the AntiCMOS virus. If it didn't detect it on your machine - how do you know that you have this virus? > Can anyone tell me something about these things? Read the FAQ before asking such questions. Then find the description of the virus in one of the sources listed there. For instance, browse http://www.datafellows.com > Is it possible to recover the non-currupted sections of my hd? Yes. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 20:34:08 -0500 (EST) From: Vesselin Bontchev Subject: Re: Monkey B / Monkey 2 (PC) X-Digest: Volume 9 : Issue 14 Neeraj Murarka writes: > Hi. I have the Monkey B / Monkey 2 Virus on my Hard Drive. How can I > clean it off? The scanners all quit when I run them, saying that I should > boot off a clean system disk, and then rerun the virus scanner to clean > off the virus. The scanners are right. This is precisely what you should do. > But the problem is, this virus, when on a Hard Drive, will > not allow the Hard Drive to be accessed when you use a clean boot disk. This doesn't matter. > So how do you get rid of the virus? That depends on which particular scanner you use. If you use ours (F-PROT), then the proper command is f-prot /hard /disinf /auto > The McAfee documentation says that > the virus is removeable. It is. > This is a boot sector virus. Correct. It infects Master Boot Sectors on hard disks and DOS Boot Sectors on floppy disks. > How do I get rid of > it!?!?! Help! See above. > Thanks in advance! You're welcome. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 20:35:05 -0500 (EST) From: Vesselin Bontchev Subject: Re: I LOVE (PC) X-Digest: Volume 9 : Issue 14 "A. Padgett Peterson, P.E. Information Security" writes: > There used to be a boot sector infector like this (EMPIRE.C I think - > was an early variation of the EMPIRE series). No, Padgett, ILove is what F-PROT calls the Satria viruses. They have nothing to do with the Empire.In_Love variants. :-) Ain't virus naming fun? :-)) Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 20:39:25 -0500 (EST) From: Vesselin Bontchev Subject: Re: KEEPER-LEMMING (PC) X-Digest: Volume 9 : Issue 14 Peterjon writes: > Please can someone provide me with info on this > beast. Origin, mode of action etc. For instance, see http://www.datafellows.com/v-descs/keeper.htm (See also the FAQ for other sources of virus information.) > Is there an antidote ??? For instance, or scanner, F-PROT, can remove it. Most of the other good scanners - e.g., FindVirus, AVP, etc. probably can remove it too, although I haven't tested this. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 20:42:27 -0500 (EST) From: Vesselin Bontchev Subject: Re: SMILING virus, help please. (PC?) X-Digest: Volume 9 : Issue 14 bsw@cris.com writes: > I ran a file "laugh.exe" that I downloaded as "piss.zip" from a binaries > newsgroup and it printed on my screen "Your partition table is now > infected with the smiling virus". I ran the file from a floppy disk, so > is that virus on the hard drive? Yes, it is. > Is it real? Yes, it is. > How do I get rid of it? For instance, with an anti-virus program than can remove it. Obvious, huh? > [Moderator's note: Related to the Smile or Yesmile virus mentioned in a > few other recent posts?? Look for Henri Delger's explanatory post with > "Subject: Re: Smile (PC)".] It is *precisely* the virus which Henri Delger described. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 20:49:38 -0500 (EST) From: Vesselin Bontchev Subject: Re: KOH in Mainstream Press (PC) X-Digest: Volume 9 : Issue 14 Tom Simondi writes: > Wang goes on to then describe the KOH virus in glowing terms as > the savior of data from prying eyes the world over: "The KOH > virus insures that all of your data is protected, not just the files > you remember to encrypt." How very useful, isn't it? Kinda what the One_Half virus does. And when you remove the virus - PUFF! - your data is not accessible any more. At least the One_Half encryption is weak and can be sometimes easily broken (finding the key is not a problem; the problem is finding the size of the encrypted area) - KOH uses IDEA, so you can forget any hopes to break the cypher. > The fun part comes when Wang says all sysops should use KOH to > protect their computers because the United Nations "...might break > down your door one day and haul your computer away...." Obviously, Mr. Wang is from the same journalistic school as the bozo who recently wrote in an English newspaper that PGP was written by a neo-Nazi sympatisant. > If you run a help desk and your users read this article and actually > install KOH, expect your calls to go way high. While KOH has > interesting properties, if someone forgets their password you have > real problems; and if the virus is allowed to move from machine to > machine, you can have worse problems. Despite what the article says, > KOH is dangerous, if for no other reason than people simply won't > read the documentation that comes with it. Your corporate data is Furthermore, it is damn slow, perticularly if you leave the replication turned on. And, if you turn it off, you have just demonstrated that you don't need a virus to perform the functions that you need. People who are interested in bulk disk encryption should get one of the free and secure packages on the net - SFS, SecureDevice, or SecureDrive. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Tue, 30 Jan 1996 21:29:38 -0500 (EST) From: sysop@command-bbs.com Subject: Re: How to remove "Ekaterin" virus ? (PC X-Digest: Volume 9 : Issue 14 >A virus, "Ekaterin", was detected on the two PC of our section by IBMAV >software. Hmmm.... I think IBMAV means Ekaterinburg. Ekaterinburg It's not a dangerous memory resident boot virus. On loading from infected disk it copies itself into Interrupt Vectors Table and hooks INT 13h. Then it writes itself into the boot sectors of floppy disks. The MBR (Parition Sector) of the hard drive is infected when loading from a infected floppy. Depending on the system timer value the virus erases the screen and waits for a keystroke. It contains the encrypted text string "Ekaterinburg." Keith =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Bruswick, Ohio 44212 216-273-2820 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Tue, 30 Jan 1996 23:53:58 -0500 (EST) From: "Raymond K. Johnson" Subject: Mutagen Stealth Boot Virus? (PC) X-Digest: Volume 9 : Issue 14 I have a question. Please forgive the "newbie"" for asking stupid questions.I have unfortunately had no time to read the FAQ for this newsgroup and need some help. My ISP was dead in the water for a protracted period of time tonight. I encountered a copy of stealth boot virus at a customer site. It seems to have a mutagen engine and was wondering if this was possible? The virus encountered seems to be processor dependent. On a 486 INTEL processor it causes windows load problems. On a pentium processor it seems to be innocuous. On a 386 processor it seems to cause protected memory allocation errors. Have I found a new strain or am I chasing ghosts in the dark? I am afraid the customer in question has transmitted this virus throughout their world wide offices. Thanks for the help in advance. Either post to this thread or email me at rayj@phoenix.net. Raymond ------------------------------ Date: Wed, 31 Jan 1996 05:33:24 -0500 (EST) From: CHAN KWANG MIEN Subject: NAtas Virus (PC) X-Digest: Volume 9 : Issue 14 Does anyone know how to kill Natas Virus? Kwang Mien - - Fri, 04 Aug'95, 01:47:27AM ------------------------------ Date: Thu, 01 Feb 1996 10:07:17 -0500 (EST) From: David Crockett Subject: SUSPECTED VIRUS FOR WordPerfect? (PC) X-Digest: Volume 9 : Issue 14 I need help. Any suggestions would be appreciated. My computer in the lab and at home developed identcal problems, that has led me to believe that I have been infected. My wife brought home from her office a copy of F-Prot. Unforrtunately (or fourtunately?) we did not detect a virus but I am still suspicious. Let me outline the problem. The exact sam things happend on the two computers! What are the odds? First, the when attempting to launch Wordperfect, Quatorpro and several orther programs (Micrographx's Designer or Photomagic, SigmaPlot), the computer would report that it could not read drive C. Dos programs worked fine as well as some Windows based prgrams. So I ran scandisk from DOS. Scandisk reported a problem with the FAT; it "fixed" it by truncated ti. Second, after runing scandisk, Quatropro miraculously works as well as most of the of the programs. However, WordPerfect will not launch, reporting that it can not find shwin20.dll. This is on both computers!. Also, Micrografx's Photomagic does not launch on both computers and the same is true for SigmaPlot (from Jandell). The coincidence is just too unbelievable that two computers would develop aproblem with the same portion of the FAT. The computers are two different brands and have different configurations. Have you heard anything like this before? I do not know where the infection could have come, but most likely throught the WWW at work. If you have any suggestions, I would be forever in your debt. ********************************************************** David Crockett, M.A., Ph.D. Department of Neuroscience and Cell Biology University of Medicine and Dentistry of New Jersey Robert Wood Johnson Medical School 675 Hoes Lane Piscataway, NJ 08854-5635 e-mail: crockett@umdnj.edu Fax: 908-235-4029 Voice: 908-235-4522 *********************************************************** ------------------------------ Date: Thu, 01 Feb 1996 11:47:46 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: Need help: AntiEXE virus (PC) X-Digest: Volume 9 : Issue 14 Michael Messuri writes: >In article <0028.01I0AAP9YODQOK8IBB@csc.canterbury.ac.nz>, networking@aol.com says... >>If anyone has any info on how to get rid of this one, I'd appreciate >>it. It affects the boot sector and the Norton Virual Protector >>crashes on me. > To remove this virus from your system with NAV you will need to >boot your system from a clean (virus free) system floppy disk {you >will want to check your CMOS settings to verify the setting of your >disk drives as this virus will make modifications to this area} and AntiEXE is not AntiCMOS. And furthermore, AntiCMOS doesn't touch the CMOS either. >then run NAV (this will prevent the virus from becomming memory >resident). Once NAV is up and running, just perform a scan now of >your hard drive and select the repair option when prompted. Boot clean, run NAV, choose Repair. The extra words above are superfluous and sometimes in error. Jimmy cjkuo@mcafee.com ------------------------------ Date: Thu, 01 Feb 1996 21:04:59 -0500 (EST) From: Vesselin Bontchev Subject: Re: Info about Form-A (PC) X-Digest: Volume 9 : Issue 14 Koen Van de Velde writes: > This week I found the Form-A virus on one of my boot-floppies. > I immediatly des-infected it with McAfee Scan 2.2.9 (01/96) and it > seems to be clean now. > It is a floppy that I use to boot new pc's and install the network > software with. So I would expect that some of the PC's would be > infected too, but 'till now I didn't find a thing. Probably because the infection has occured *after* the last time you used that floppy to boot from it. Such floppies are very sensitive and you should keep them write-protected anyway. > What I was wondering: is it possible for the Form-A virus to get on > our network (Novell Netware 4.1, VLM-client software) and if so, > how can I check/clean it ? It is a boot sector virus and cannot spread accross a network. However, if you attempt to boot the server from an infected floppy, the virus will infect the server's hard disk. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Fri, 02 Feb 1996 01:45:02 -0500 (EST) From: "Robert E. Hunter" Subject: Ripper and NYB (PC) X-Digest: Volume 9 : Issue 14 I have the Ripper and NYB on some diskettes and have yet to find a antivirus program that will clean it up. I have Win95 and am currently using McAfee for Win95 but it will not clean either one. Help? ------------------------------ Date: Fri, 02 Feb 1996 02:08:31 -0500 (EST) From: Steven Hoke Subject: Re: Need info on MONKEY_A virus (PC) X-Digest: Volume 9 : Issue 14 Vesselin Bontchev wrote: > > I recently ran across the virus MONKEY_A on several diskettes from > > another department. I was able to clean the virus (using McAfee > > VirusScan 2.2.9), but I can not find any information from VSUM 507 on > > this particular virus. > > That's kinda strange, but maybe the reason is because your version of > VSUM is outdated. It is right there in version 9510. And full of > inaccuracies, as usual. Even more outdated than you thought. I've seen version 9512, although I don't recall what site it was on. - - - -==Steve==-- shoke@northnet.org steven_hoke@msn.com ------------------------------ Date: Fri, 02 Feb 1996 03:07:16 -0500 (EST) From: Peter Subject: Help with Stoned.empire.monkey (PC) X-Digest: Volume 9 : Issue 14 Help if you can... I have an older 386SX25 AST Exeutive laptop. I had a Monkey_A and Monkey_B infection, after I cleaned them I had a Stoned.empire.monkey virus. I could not remove it leaving my files intact, so I ended up FDISKing my HD. I discovered 10 non-dos partitions, which I removed. The HD works fine now, except I can't boot from it. I have to boot from a floopy. Is it possible that the boot sector of the HD was permenantly damaged by a virus? Even after several FDISKs? Did I do something wrong? Maybe my HD just choose a bad time to die. In my past expierience though, if a HD dies, it is dead. Plain and simple. Mine works fine, with no probs, as long as I boot off a floopy. That is a real pain in the ass.... Thank's in advance for any help. Could responses be e-mailed to me? I don't get the chance to check on USENET alot. E-mail: pmaria@direct.ca ------------------------------ Date: Fri, 02 Feb 1996 07:20:49 -0500 (EST) From: Sanjeev Bhutt Subject: MTE COFEESHOP Virus (PC) X-Digest: Volume 9 : Issue 14 I am in need of a virus remover for the MTE COFEESHOP virus. Is anyone out there able to help ? Thanks. ------------------------------ Date: Fri, 02 Feb 1996 07:52:11 -0500 (EST) From: Long Live PBS Subject: Chinese Fish virus (PC) X-Digest: Volume 9 : Issue 14 Any one know about "Chinese Fish virus" which attact our PC this morning? Anything to scan this virus. Thanks in advance. ------------------------------ Date: Fri, 02 Feb 1996 11:01:25 -0500 (EST) From: chi@bluefin.net Subject: Help...Is this a virus? (PC) X-Digest: Volume 9 : Issue 14 Today I turned on my computer and I received this message, CMOS Checksum Invalid Press Enter to Boot, Esc to run setup I pressed Esc and the system continued to boot in the same way it has everyday. Nothing has changed on my system, between yesterday and today. Except I have been on the Internet..... I ran McAfee Virus Scan 2.6 but nothing was found. Could this be a virus that McAfee isn't picking up? McAfee's home page isn't working apparently to get an upgrade. If so, what other Anti-Virus program would you suggest? Thanks for your help. [Moderator's note: It is most unlikely this is virus-related. I see dozens of machines a year with this "problem" and they are always either "just one of those things" or an early warning that the machine's CMOS battery is approaching the end of its life. There are viruses that tangle with your CMOS settings however, and you just may have contracted a new virus your scanner doesn't know about. If paranoid enough, find another scanner to check your system with.] ------------------------------ Date: Fri, 02 Feb 1996 12:41:40 -0500 (EST) From: Christopher Hill Subject: 69 Virus (PC) X-Digest: Volume 9 : Issue 14 Recently I caught the 69 virus and wiped my hard-drive to get rid of it. What does it do? What programmes get rid of it? Chris Tel:01206 868634 [Moderator's note: Assuming this is the PC virus known as 69, it is probably better known as Sampo. I'll leave the experts to answer the other questions...] ------------------------------ Date: Fri, 02 Feb 1996 12:49:32 -0500 (EST) From: Ken Stieers Subject: Re: Anti-CMOS Virus? (PC) X-Digest: Volume 9 : Issue 14 Anti-CMOS is a master boot record virus that versions 2.2 and above of McAfee should be able to detect and remove. Note, if you are using the windows version this won't be able to find it. Since WSCAN doesn't scanmemory, and ANTI-CMOS has stealth capabilities, it won't find it. Get the DOS version, cold boot the machine from a known clean bootable floppy and run SCAN C: /CLEAN. Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prarie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 14] *****************************************