VIRUS-L Digest Wednesday, 7 Feb 1996 Volume 9 : Issue 16 Today's Topics: Not providing examples of Java viruses Re: What are the best Integrity Checkers? Re: virus damage to companies Re: Viruses from the internet Security Holes in Win NT? (NT) Re: Netshield 2.2 abends 3.11 or 3.12 Server. (NW) Re: Question: Linux viruses? (UNIX) Re: Question: Linux viruses? (UNIX) Re: Does OS/2 need special treatment? (OS/2) Re: Does OS/2 need special treatment? (OS/2) Re: Virus Checker for Macintosh (MAC) Re: McAfee for protection (MAC) When Harry met Sally Orgasm Scene Virus (MAC) Macintosh - MBDF B & MBDF A/B (MAC) Re: Virus Checker for Macintosh (MAC) Re: McAfee for protection (MAC) Re: Antiviral software recommendations (MAC) Re: New Macintosh Virus??? (MAC) Re: Virus Checker for Macintosh (MAC) Re: Word Macro Prank Virus (Concept) (MAC,WIN) Re: Word Macro Prank Virus (Concept) (MAC,WIN) Word Macro Virus -- Help??? (MAC,WIN) Re: Help with Word macro virus on network (MAC,WIN) Re: a good Anti-Virus for Win95? (WIN95) Re: Windows95 Virus Scanner (WIN95) Win95 23.3 of 24MB memory allocated at startup?? (WIN95) Re: a good Anti-Virus for Win95? (WIN95) Re: Virus checking in Win95 ?? (WIN95) Windows 95 and modem problems (WIN95) Microsoft Registration Virus (WIN) Ack! Newest NAV update causes serious lockups! (WIN) McAfee VirusScan 2.2 Upgrade (WIN) virus scanner recommendations for wfw3.11 (WIN) "Kilroy was Here." (WIN) mcafee problem (WIN) Norton Antivirus Anygood? (WIN) Phantom-1 (WIN) Re: Wierd Virus report from F-PROT (PC) Re: HD Corruption with Dr. Solomon's VirusGuard (PC) V-SIGN (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CS.UCR.EDU. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sun, 04 Feb 1996 12:01:22 -0500 (EST) From: fc@all.net (Fred Cohen) Subject: Not providing examples of Java viruses X-Digest: Volume 9 : Issue 16 The reason I don't provide examples of Java viruses is that it is pretty dangerous to do so. I am especially astonished to see Vess seemingly ask me to give source to viruses out since he has long stood against the open disclosure of viruses. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 ------------------------------ Date: Sun, 04 Feb 1996 14:18:02 -0500 (EST) From: fc@all.net (Fred Cohen) Subject: Re: What are the best Integrity Checkers? X-Digest: Volume 9 : Issue 16 Fri, 02 Feb 1996 19:19:39 -0500 (EST) Robert Michael Slade Wrote: >Al Kimel (akimel@awod.com) wrote: >: While a number of comparative evaluations of scanners are available, >: one notes an absence of comparative evaluations of integrity > >It is relatively easy to evaluate scanners: just get a good "zoo" and see >how many viruses are identified by the respective products. (Maintaining a >good "zoo", on the other hand, is the problem.) This is also easy for >users to judge, since it gives a numerical rating. The numerical rating >isn't always an indication of how good a given product *is*, but it's easy. Really ???. I know at least one person who evaluate "scanners" and have a lot of problems tryng to perform an impartial (unbiassed) analisys. Add to this that You need to include many "types" of virus (polimorfic, common -may I call 'em traditionals ??-, companion, etc. Then found all the versions -last updated in closer date each other- of the products that You will compare. To check all of this will demand a common person so many time. I was tryng to perform some AV comparisons during this year (actually I'm leading a security team in a local University) and believe me that was no easy. >Integrity checkers (or change detection software) and activity monitors >are a lot harder to judge. I have done a number of detailed reviews (uh, >Nick? :-), and try to assess the overall effectiveness of a given >product, for a specific type of computer environment and type of user. > >[Moderator's note: I know, I know--before 10 February I'll have them all >posted!] Hey Moderator! that means that You'll release some comparison list about Integrity Checkers ???? :-) [It means I'll have posted all the product reviews Rob has submitted... There is at least one whole digest's worth, though I haven't read them all yet--Moderator] >My general recommendation for change detection software would be Integrity >Master. It provides solid protection, different levels of protection, >and excellent information to the user (particularly in setting the >program up). It is available in a shareware version (I believe the >filename is I_Mxxx.ZIP, where xxx is the version number) at better ftp >and antiviral archive sites everywhere :-) I agree. You have many different ways to configure IM (aka Integrity Master) depending on Your user profile or security level. Actual version of Integrity Master is 2.60 If any person wants to know more about the product: http://delta.com/stille/stiller.htm Kind regards Ruben Arias - ------------------------------------------------------------------------------ Ruben M. Arias _ _ _ | ) |_| | |_) | \ | | |_ | E-Mail: Ruben@RALP.Satlink.net Buenos Aires - ARGENTINA RALP - Computer Security - Virus - ------------------------------------------------------------------------------ ------------------------------ Date: Sun, 04 Feb 1996 12:54:50 -0500 (EST) From: Iolo Davidson Subject: Re: virus damage to companies X-Digest: Volume 9 : Issue 16 In article <0003.01I0U823CEJ4PVGQEE@csc.canterbury.ac.nz> goretsky@netcom.com "Aryeh Goretsky" writes: > Although not mentioned expressly, one other "cost" to be considered is > the cost of goodwill and trust "spent" during (or after) a virus removal: > > After a day (or several days) of frantic virus removal, emotions are > likely to run high. It may be possible that the oraganization which > was infected may go on a "witch-hunt" to determine is to "blame" for > the virus incident. Accusations and tempers may flare as management > tries to find an employee, vendor, or outside contractor who brought > the virus in. > > The cost in terms of lost employee productivity and bruised business > relationships from this is not always easy to calculate (nor is it > alwayys financial). And this aspect of virus damage is never considered by those who make claims for "harmless" or even "beneficial" viruses. A company can get just as black an eye from an employee installing KOH or one of Rosenthal's test viruses as they will from an outbreak of any of the real viruses. - - NO LADY LIKES ACCOMPANIED BY TO DANCE A PORCUPINE OR DINE Burma-Shave ------------------------------ Date: Sun, 04 Feb 1996 12:56:13 -0500 (EST) From: Iolo Davidson Subject: Re: Viruses from the internet X-Digest: Volume 9 : Issue 16 In article <0017.01I0U823CEJ4PVGQEE@csc.canterbury.ac.nz> lee.brown@ukonline.co.uk "Lee Brown" writes: > but the bonus with PC-Cillin is that it stops the files > before they are even downloaded onto your pc. PC-Cillin is designed > for the Internet and does not allow anything past your modem if it > contains a virus :) How can it examine anything without first loading it into memory? - - NO LADY LIKES ACCOMPANIED BY TO DANCE A PORCUPINE OR DINE Burma-Shave ------------------------------ Date: Fri, 02 Feb 1996 11:49:46 -0500 (EST) From: Lance Gomes Subject: Security Holes in Win NT? (NT) X-Digest: Volume 9 : Issue 16 Other than the holes in PERL 4 for NT, does anyone know of any other security holes that NT has, either in the OS or in specific applications? Lance Gomes (NOT speaking for DCI) - --- Lance Gomes Internet Projects Manager lanceg@dciexpo.com http://www.dciexpo.com/ Digital Consulting, Inc. phn: (508)470-3870 xt423 204 Andover St., Andover, MA 01810 fax: (508)470-1992 ------------------------------ Date: Thu, 01 Feb 1996 17:15:54 -0500 (EST) From: Ken Stieers Subject: Re: Netshield 2.2 abends 3.11 or 3.12 Server. (NW) X-Digest: Volume 9 : Issue 16 This abend is caused by a bug in NWSNUT that Novell won't fix. When an NLM loads NWSNUT from a directory that doesn't have a search drive, it will abend. To fix this execute the following line before you load NetShield: SEARCH ADD SYS:\SYSTEM\NETSHIELD or whatever directory you have Netshield in. This has been fixed in the latest release of Netshield. The do a search add to the directory that NETSHLD.NLM is loaded from before trying to load any support NLMs. Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prarie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Sat, 03 Feb 1996 10:13:20 -0500 (EST) From: Richard Brown Subject: Re: Question: Linux viruses? (UNIX) X-Digest: Volume 9 : Issue 16 Similar threads have in the past stated that there are no viruses for linux, and probably never would be. This is based on the convention that all GPL software must include sourc code, or make it available, which would allow the linux community to see the virus. Of course if the programs are not GPL, this may not happen. There are commercial vendors who do not make their source code avaialble, but it is unlikely that they would spread viruses if they intend to remain in business. I'm not an expert on this, but it would seem easy to spread a virus by hiding it in a small simple library which is unlikely to be inspected before its dirty work is done. Of course the source code would not include the parts for the virus. If I'm totally off base on this, please let me know. As for now, I am somewhat paranoid about viruses, and suspect that more things are possible than may occur in reality. Richard ------------------------------ Date: Sat, 03 Feb 1996 16:42:38 -0500 (EST) From: Doug Muth Subject: Re: Question: Linux viruses? (UNIX) X-Digest: Volume 9 : Issue 16 In article <0011.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Pete Radatti writes: : All of the boot sector viruses will work. Additionally, many people : configure Linux to directly execute ms-dos/windows 3.11 programs. Virus : are just programs. If a ms-dos program will run on your Linux system then : so will a ms-dos based virus. However, Linux (AFAIK) runs each program within its own virtual machine using virtual mode. Therefore, when a program is terminated, so should all of the other processes spawned by it including viruses, no? - - - ------| Finger dmuth@oasis.ot.com for - -----| PGP public key and geek code Anti-virus software and utils: | The Transformers fanfiction: ~dmuth/virus/virus.html | ~dmuth/tf/tf.html "Piss off a government, practice civil disobedience TODAY!" [Moderator's note: Most likely yes, but so what? File infectors will have gone out to disk and infected as many targets as they can find (which may be limited by Linux' seciurity features...).] ------------------------------ Date: Thu, 01 Feb 1996 20:54:31 -0500 (EST) From: Vesselin Bontchev Subject: Re: Does OS/2 need special treatment? (OS/2) X-Digest: Volume 9 : Issue 16 James Owens writes: > I have an OS/2 system (DOS and OS/2 on one hard drive). If I boot > from a DOS installation diskette and scan (from a scanner on the hard > drive), does this do everything I need? No. If the scanner on the hard disk has become infected, you will be running it with a virus active in the memory of the machine. Then all bets are off. If you want to be secure, run the scanner from a write-protected floppy. > Or should I invest in OS/2 > scanning software? It will add convenience, not security. But the added convenience is probably worth the money spent. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Fri, 02 Feb 1996 09:20:28 -0500 (EST) From: Mike Taylor Subject: Re: Does OS/2 need special treatment? (OS/2) X-Digest: Volume 9 : Issue 16 James Owens wrote: > I have an OS/2 system (DOS and OS/2 on one hard drive). If I boot > from a DOS installation diskette and scan (from a scanner on the hard > drive), does this do everything I need? Or should I invest in OS/2 > scanning software? If you are only using the FAT file system, then you should be OK, however, I would advise that an OS/2 virus checker would be best. If you use HPFS file system then it is a must, but you also lose any features such as realtime checking of files etc that are possible in some packages. Check out my home page for lists of sites, but the OS/2 ones that I know of are IBM AntiVirus, Dr Solomons and Sophos. - - Mike Taylor mtaylor@bcs.org.uk taylorm@it.postoffice.co.uk Amber Seam Ltd. ( PC & Unix Consultancy ) Computer Security & Antivirus Advice & Consultancy TEL:44(0)1246-214595 POSTLINE:5415 4595 Visit my homepage at : http://www.geocities.com/Paris/2203 ------------------------------ Date: Tue, 30 Jan 1996 04:56:28 -0500 (EST) From: Joerg Maass Subject: Re: Virus Checker for Macintosh (MAC) X-Digest: Volume 9 : Issue 16 one of the best is Disinfectant by John Norstad, a freeware product that runs on 680x0 macs as well as PowerMacs. Although it's freeware, it is one of the best virus checkers that you can get for the Mac. Check out Mac archives such as sumex-aim.stanford.edu for binaries. John regularly updates Disinfectant as soon as new viruses appear (thanks, John!). Since the Macintosh is mostly used by responsible persons, the frequency of new viruses for it is very low (I HAD to include this evangelism :-). Hope this helps Josch [Moderator's note: There are those who would counter that it is because Mac users are too simple to work out how to make viruses--having said it myself, I won't post any followups of that ilk! 8-) ] ------------------------------ Date: Tue, 30 Jan 1996 09:31:23 -0500 (EST) From: Jeremy P Goldman Subject: Re: McAfee for protection (MAC) X-Digest: Volume 9 : Issue 16 In article <0018.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz> "Edward M. Sikorski" writes: >I read somewhere that McAfee had commercialized Disinfectant. Is this >correct? Will Disinfectant no longer be available/upgraded? The word that I heard (from John Norstad, the author) is that McAfee has *licensed* Disinfectant. They will be distributing a version of it, but this will have no effect on the (quite excellent) free version of Disinfectant. To summarize: Disinfectant is still free, will still be upgraded when new viruses are found, and in my opinion, still the best anti-virus program for the Mac. (I have no connection to Northwestern or John Norstad, other than being a satisfied user of Disinfectant since version 1.2) - Jeremy - - - Another message from Jeremy (Goljerp) Goldman: jpg@minerva.cis.yale.edu - my web page, slowly but surely changing: http://minerva.cis.yale.edu/~jpg/ - Junk E-mail will not be appreciated, unless accompanied by $50 in cash. ------------------------------ Date: Wed, 31 Jan 1996 01:47:39 -0500 (EST) From: Trenton Cladouhos Subject: When Harry met Sally Orgasm Scene Virus (MAC) X-Digest: Volume 9 : Issue 16 My Powerbook 540 seems to be infected with Meg Ryan's fake orgasm from the movie "When Harry Met Sally." Whenever the computer wakes from sleep, the audio portion of the scene starts as well. It may be causing some damage also as I am having some unexplained crashes and the Volume Info File (as noticed by Norton Utilities) is often incorrect. Has anyone else heard of this virus? Disinfectant does not identify it. Thanks ------------------------------ Date: Fri, 02 Feb 1996 02:22:00 -0500 (EST) From: John Barrymore Subject: Macintosh - MBDF B & MBDF A/B (MAC) X-Digest: Volume 9 : Issue 16 I have come across 2 strains of the MBDF virus on Macintosh more than once each lately. One is MBDF B and the other is MBDF A/B. They both seem to infect the system, and other applications. Does anyone have any information on these viruses? - - John Barrymore jb@barrymore.com [Moderator's note: The Macophiles I know seem to like Disinfectant's virus database...] ------------------------------ Date: Fri, 02 Feb 1996 11:30:55 -0500 (EST) From: Michael Subject: Re: Virus Checker for Macintosh (MAC) X-Digest: Volume 9 : Issue 16 McAfee has recently put the Mac scanner on their ftp site. It's similar in looks and functions to DIsinfectant which is shareware. The ftp site is: FTP.MCAFEE.COM The filename is: msc100e1.hqx Self extracting file. mpemberton@boeing.hq.nasa.gov [Moderator's note: Disinfectant is freeware--maybe Michael means the McAfee product is shareware?] ------------------------------ Date: Fri, 02 Feb 1996 11:35:50 -0500 (EST) From: Michael Subject: Re: McAfee for protection (MAC) X-Digest: Volume 9 : Issue 16 ------------------------------ Date: Sat, 03 Feb 1996 13:06:59 -0500 (EST) From: Joerg Erdei Subject: Re: Antiviral software recommendations (MAC) X-Digest: Volume 9 : Issue 16 Guy Pontecorvo wrote: >I am new on this list and am looking for first hand >recommendations for antiviral software for Macintosh >computers that can be run over a network. > >I am mostly interested in your personal experience >(how comprehensive, ease of use, effectiveness) >with virus detection software products. > >Thanks, >Guy pontecorvo > There are two commercial packages that are able to give you some network protection: Virex and SAM (Symantec anti virus). SAM 4.0 has some problems with System 7.5.2 that is said to be solved with a free patch soon. I have no experiences with these programs regarding networks, just know of reviews I read that they have some network-related features. Joerg Erdei ------------------------------ Date: Sat, 03 Feb 1996 15:09:31 -0500 (EST) From: Jan Schipmolder Subject: Re: New Macintosh Virus??? (MAC) X-Digest: Volume 9 : Issue 16 Robert Tilley (tilleyrw@digital.net) wrote: : My machine has recently been "freezing" and beeping at random : moments. I believe I am infected with an unknown virus that is If not a virus, then maybe you need to run Norton Disk Doctor or Disk First Aid on it. - - jan b schipmolder schip@lmsc.lockheed.com ------------------------------ Date: Sat, 03 Feb 1996 18:59:12 -0500 (EST) From: Phillip Steck Subject: Re: Virus Checker for Macintosh (MAC) X-Digest: Volume 9 : Issue 16 He can buy a program from MAC WHAREHOUSE called SAM that is made for the Mac. The same compant that make Norton Utilities for the Mac makes it. I think version 3.5 is the latest Mac version. There are also a lot of freware and shareware virus protection programs for the Mac. Have him look at some of the Mac BBS's and FTP sites. TTYL Phil ------------------------------ Date: Thu, 01 Feb 1996 15:18:57 -0500 (EST) From: Robert Michael Slade Subject: Re: Word Macro Prank Virus (Concept) (MAC,WIN) X-Digest: Volume 9 : Issue 16 Feng Chen (phys91@menudo.uh.edu) wrote: : virus. It was found by McAfee 2.0e (1/4/96 version) and can only : be deleted. Using f-prot 211 only tells me it "contains WordMacro : search string Concept". This is to be expected. Because of the data structures of OLE files (as Vesselin has found out at some cost), disinfection of Word data files infected with Word Macro viruses is a significant problem. It isn't a simple task, and the best solution *is* to delete the infected data file. (You can save the data, although not the formatting, by saving as a "text only" file. Unless someone has now written a macro virus that takes over that too?) : The problem is that after I deleted these two files, whenever : I use word to save file, the file is infected!!! (Although I searched : all my 20,000+ files in my HDD for virus.) What has happened is that the macro virus has infected your Word system, by becoming part of the NORMAL.DOT file. I do not know why the scanners are not identifying it, unless you have not set them to scan "all files". : I still think it is not so severe but I just want to know the : solution. (maybe I shall delete all my word Macros. :( Also how bad : can the Concept do? Concept, itself, does not do any overt damage, other than making changes to your system. However, if you don't get rid of it, you will be spreading it. You might want to try another word processor. This is *not* going to have an easy solution. ====================== ROBERTS@decus.ca rslade@vanisl.decus.ca rslade@freenet.vancouver.bc.ca "If you do buy a computer, don't turn it on." - Richards' 2nd Law of Security Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) ------------------------------ Date: Thu, 01 Feb 1996 20:59:45 -0500 (EST) From: Vesselin Bontchev Subject: Re: Word Macro Prank Virus (Concept) (MAC,WIN) X-Digest: Volume 9 : Issue 16 Feng Chen writes: > I found two of my word 6.0 file on PC got the "CONCEPT" > virus. It was found by McAfee 2.0e (1/4/96 version) and can only > be deleted. Check whether version 2.2.30 has been released - it should be able to disinfect infected documents. > Using f-prot 211 only tells me it "contains WordMacro > search string Concept". That's right; F-PROT doesn't disinfect documents. > The problem is that after I deleted these two files, whenever > I use word to save file, the file is infected!!! (Although I searched > all my 20,000+ files in my HDD for virus.) Hmm... And neither SCAN nor F-PROT found any infected file? Did you indeed scan all files - including NORMAL.DOT? Also, try a third scanner - FindVirus; you should be able to get an evaluation version somewhere from http://www.sands.com. > Also how bad > can the Concept do? It is not intentionally destructive. Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E [Moderator's note: The name reflects that this virus seems to be a "proof of concept" exercise.] ------------------------------ Date: Fri, 02 Feb 1996 08:44:01 -0500 (EST) From: Al Proulx Subject: Word Macro Virus -- Help??? (MAC,WIN) X-Digest: Volume 9 : Issue 16 I know this will sound like a very simple question, but maybe if someone has answers for me they can reply by e-mail instead of cluttering up the newsgroup. I've been hearing so much about this MS Word Macro virus -- I've read all the recent articles on comp.virus. But I really don't know WHAT IT IS EXACTLY?? Does it only acivate if you read mail with MS Word; Can it be activated by running other macros; etc...??? I don't mean to bother everyone with what might seem like a rhetorical question, but every posting I've read only deals with how to avoid the virus, & doesn't really tell me what it is! Thanks! ------------------------------ Date: Sat, 03 Feb 1996 02:08:25 -0500 (EST) From: Vesselin Bontchev Subject: Re: Help with Word macro virus on network (MAC,WIN) X-Digest: Volume 9 : Issue 16 Zvi Netiv writes: > To stop the creation of newly infected documents you need just to > clean and protect the NORMAL template, to prevent the crosslinking of > a macro virus to new docs. This is false. First, it is perfectly possible for a macro virus to infect documents without infecting NORMAL.DOT. Second, even if the *file* NORMAL.DOT is protected, some macro viruses will be able to infect its currently used copy and from there - other documents accessed during the same editing session (i.e., before you leave WinWord). > Clean the NORMAL.DOT template(s) and change its attributes to read- > only so that it won't get modified. Better don't. WinWord needs to modify the global template every now and then - for instance, when you fiddle with the menus or the toolbar. > We also found that monitoring the templates' integrity is effective > in preventing reinfection. Take a look at appendix G in InVircible's "Monitoring the integrity", unless done on-line, with a TSR program, does not *prevent* infection - it only detects it. Furthermore, the global template (NORMAL.DOT) often gets modified (see above) and is therefore likely to cause false positives to the integrity checkers. The proper way to solve the problem is to monitor only the integrity of the macro area in the global template. Can you do that? Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Mon, 29 Jan 1996 19:16:53 -0500 (EST) From: "Chengi J. Kuo" Subject: Re: a good Anti-Virus for Win95? (WIN95) X-Digest: Volume 9 : Issue 16 George Wenzel writes: >>> Can anyone suggest me a good anti-virus for win95? >>The Master Boot record on my PC was infected by >>a FORM_A virus and I tried McAfee AntiVirus for Win95 >>and F-Prot for Win95. Both detected the virus but >>neither could clean it. >>Norton Antivirus for Win95 was the only one that >>could clean it! >Not to knock down your complements for NAV95, but I would seriously doubt >that McAfee and F-Prot were unable to clean Form. It is by far the most >common virus out there right now. Both McAfee and F-Prot could not clean Form from the Master Boot record because the virus was not in the MBR. Form is a boot sector virus, both on floppies as well as hard disks. So, I don't know what NAV was cleaning when it said that it did. Also, I think there's a major misconception going on about Win95 versions cleaning boot sector viruses. Chances are, people aren't booting clean if they're complaining about the Win95 version not cleaning. I doubt the average user knows even how to boot clean into Win95. To clean boot sector viruses, one boots clean using DOS and uses the DOS version of the product to do the cleaning of the boot sector. Jimmy cjkuo@mcafee.com ------------------------------ Date: Mon, 29 Jan 1996 19:29:49 -0500 (EST) From: wna Subject: Re: Windows95 Virus Scanner (WIN95) X-Digest: Volume 9 : Issue 16 I have used McAfee's and Dr. Solomon. I am more impressed with Dr. Solomon. It found the ANTIEXE.A strain on some floppies that McAfee did not find. The interface was good and the manuals excellent. )Except the Anti-Exe is not on page 80 as the index says. ------------------------------ Date: Mon, 29 Jan 1996 23:46:43 -0500 (EST) From: Mark Andrew Subject: Win95 23.3 of 24MB memory allocated at startup?? (WIN95) X-Digest: Volume 9 : Issue 16 We have two new NEC P133 PCs w/Windows95 pre-installed; one with 24MB RAM and the other w/16MB. We recently noticed that both computers started doing a lot of disk chatter, so checked the System Monitor to see how much swap file was being used. On the smaller machine we were well into virtual memory, which is understandable given everything running at the time. On the bigger machine we were using a bit less swap file. I started checking the System Monitor more regularly and found today that, immediately after startup, with no applications running except System Monitor and Resource Monitor (no background apps, TSRs or anything) that 23+MB out of 24 were allocated. If I am remembering correctly, the System Monitor also showed 3+MB free and 0 swap file in use. Doesn't add up, does it? Has anyone encountered this ? I thought we might have a virus, so I downloaded evaluation copies of McAffee's ViruScan for Win95 (with .dat file 9601 dated Jan-96) and Thunderbyte's TBAV for Win95 and ran them both. They found some WordMacro.Concept viri that I missed before but nothing else. Any ideas? Thanks, Mark ------------------------------ Date: Tue, 30 Jan 1996 20:53:09 -0500 (EST) From: Vesselin Bontchev Subject: Re: a good Anti-Virus for Win95? (WIN95) X-Digest: Volume 9 : Issue 16 George Wenzel writes: > >> Can anyone suggest me a good anti-virus for win95? > > > >The Master Boot record on my PC was infected by > >a FORM_A virus and I tried McAfee AntiVirus for Win95 > >and F-Prot for Win95. Both detected the virus but > >neither could clean it. > > > >Norton Antivirus for Win95 was the only one that > >could clean it! > Not to knock down your complements for NAV95, but I would seriously doubt > that McAfee and F-Prot were unable to clean Form. I wouldn't be so quick to judge, without knowing what the exact problem is. I am not familiar with F-PROT for Win95 (it is not produced here and I do not use Win95) - however, didn't Win95 have a setting (the default, maybe?) that prevented the programs run under it to do sector-level disk access? This might explain the problems - but not why NAV has succeeded. Or did F-PROT say that it is a new variant of the virus? Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Sat, 03 Feb 1996 02:01:41 -0500 (EST) From: Vesselin Bontchev Subject: Re: Virus checking in Win95 ?? (WIN95) X-Digest: Volume 9 : Issue 16 Neil Allen writes: > >Firstly, DO NOT use MSAV, which comes with Windows 3.11. It is > >essentially useless. > > What about the "verify integrity" feature of MSAV? It is as bad as the scanner... if not even worse. See ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip for more information. > I realise MSAV has a poor reputation - I am currently using F-PROT - > however, is there an optimum way of combining the two - perhaps using > F-PROT for the scan and the VIRSTOP feature, and MSAV for the > integrity check - or is MSAV so bad it`s not worth bothering with at > all? If you need an integrity checker, use a better one. The Professional version of F-PROT has one (F-CHECK), but it is commercial. If you want shareware - Integrity Master is an integrity checker, TBAV has an integrity checker, ADINF is an integrity checker... Regards, Vesselin - - Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ------------------------------ Date: Sat, 03 Feb 1996 23:21:30 -0500 (EST) From: Joe Booth Subject: Windows 95 and modem problems (WIN95) X-Digest: Volume 9 : Issue 16 I have experienced a recent problem with Windows 95 and my internal modem. My modem was connecting fine until this morning. Then I could not connect to anything (Lexis, Westlaw, Syracuse dialup, fax machine). I messed around with modem settings and the like with no positive effect. I finally cured the problem, or so I think, by uninstalling McAffee ViruScan for win95. Has anyone else experienced such problems with ViruScan? I used f-prot prior to "upgrading" to win95 as my only virus protection (for disk scanning as well as the tsr). Does anyone know if f-prot supports win95, or will f-prot adequately detect/disinfect under win95. BTW, my machine is a Dell p75, 16mb ram, w/zoom 14.4 internal modem and ViruScan was using VShield. Thanks. -Joe ------------------------------ Date: Mon, 29 Jan 1996 20:09:04 -0500 (EST) From: Eduardo Haddad Filho Subject: Microsoft Registration Virus (WIN) X-Digest: Volume 9 : Issue 16 I don't know if this is already in a FAQ. Since Microsoft has the ability and does snoop around your disk for hardware and software information, I suppose it could also put a virus in your disk. I'm not saying that Microsoft will do this, Popular Science says it does snoop. (this is for legally minded people). As it is, I believe any Internet site could do it, if you have a PPP or SLIP connection. Am I right? Is there any kind of protection? Best Regards, Eduardo Haddad Filho ehaddadf@iis.com.br [Moderator's note: Running -any- program in your computer -could- result in a virus being installed, a Trojan doing its work, etc. Microsoft would be very stupid to deliberately infect your machine becasue their hold on the market is still partly dependent on trust--notice the lengths they go to in publicly denying and/or correcting all the possibly damaging things that are said about them.] ------------------------------ Date: Tue, 30 Jan 1996 13:31:23 -0500 (EST) From: Jon Martin Subject: Ack! Newest NAV update causes serious lockups! (WIN) X-Digest: Volume 9 : Issue 16 I just installed the latest NAV3.0 update (updateme.exe for dos/win3.1), and I found I have a serious problem. When I try to scan more than one 'thing' per session it locks and crashes. For example: I start up nav. I select the directory c:\sopwith for scanning. NAV scans, and finds no viruses (vires?). I then select c:\waaplay for scanning. NAV scans the memory and boot records, dies an undignified death, and DOS gives this message: Fatal Error eca0001: .RTLink CACHE - Save File Handling DOS Function code 0042, Error code 4204 DOS is screwed, and if I start up other things (including NAV) it totally locks. Ugly eh? Just so you know, I have things set up as NAV wants them (in fact the latest update made only one change to my autoexec.bat). I noticed that this always happens if files=40 (as it used to be), but files=15 (the new setup, but not enough to run a lot of other things I have) and scanning only program files appears to be a bit more random (sometimes I can do _three_ scans per session). Either I have serious problems with my system (which is doubtful, as I have never had a single problem with NAV before) or there is a serious problem with NAV (I hope not, I need it), or a small, easy change needs to be made that I am not aware of. If anybody can help, let me know. I would hate to have to call tech support. - - Serve Gonk. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jon Martin cs95469@wolfcreek.cs.ualberta.ca http://www.ualberta.ca/~jomartin/ Entering Department of Computing Science at University of Alberta. ------------------------------ Date: Tue, 30 Jan 1996 20:11:54 -0500 (EST) From: Irene Scallon Subject: McAfee VirusScan 2.2 Upgrade (WIN) X-Digest: Volume 9 : Issue 16 Hi I recently purchased McAfee VirusScan 2.2 for Windows 3.1. The problem I am having is that after I loaded the scan it tells me that my data files are out of date. I went to the internet bulletin board for McAfee and downloaded the software there - this changed my licensed version to an evaluation copy. It also told me that "VShield was corrupt" and did not perform the scan when I first booted up the computer. First I'm not sure I'm downloading the correct files and second I don't know which directory under McAfee to unzip them to. Can you help? So far I have found McAfee Support less than adequate. The manual tells me that they have online help (all mail returned). I have sent them a fax (not answered). I called their support desk (long hold time) then connected to sales rep (who didn't help) put back on hold to talk to technical assistance (took too long and I gave up). Please help if you can. This month my husband's hard drive went down - after scanning his disk we found Monkey B, Antiexe, and stoned.michaelangelo. I don't want this to happen again! ------------------------------ Date: Thu, 01 Feb 1996 13:41:49 -0500 (EST) From: Scott Eggleston Subject: virus scanner recommendations for wfw3.11 (WIN) X-Digest: Volume 9 : Issue 16 i wish to know what the consensus is (if there is one) of what the best virus scanning software is for wfw3.11. if you recommend something, could you please tell me where i can ftp or download it from to try? thanks, scott scotte@ix.netcom.com ------------------------------ Date: Thu, 01 Feb 1996 18:05:18 -0500 (EST) From: Jeremy Nottingham Subject: "Kilroy was Here." (WIN) X-Digest: Volume 9 : Issue 16 A friend of mine has had the following problems: In Windows, his stereo sound will sometimes play out of one speaker, or the other, but not usually both. Also, the answering machine software that was preinstalled on his comp will die after playing one message. It seems to play more, but there is no sound. He wasn't suspicious, even though mem shows 639K, until this: He bought the game "LA General" and was playing it when his screen cleared to a picture of the Kilroy character and "Kilroy was Here". Then the game goes back to normal. Also, a smaller version of the kilroy guy pops up during game play in the top right corner of the screen. He's run Norton AV with no results. I can't find any description of this virus on line. I have a suspicion that this Kilroy guy might be a feature of the game, but I don't know about that. Anyway, if mem shows 640 K before the game, and Kilroy pops up, then exiting will show 639K. Thanks, Jeremy Nottingham ------------------------------ Date: Fri, 02 Feb 1996 00:38:35 -0500 (EST) From: cshoier Subject: mcafee problem (WIN) X-Digest: Volume 9 : Issue 16 all right, i'm at my wits end. i tried to create file "t", which i usually do when downloading to use as a "catch-all" and the system hung, then spewed: fatal error has occurred in vxd mcutil(01)+00003515 when i check that mcutil, i find it modified 1/02. I search for files modified that date (oh, i'm using win'95) and find: mcafee viruscan and virushield. now, mcafee hours are the same as my work; does anyone know if virusshield could cause this? nobody i ask has seen such a thing...everything else works fine...i did a reinstall of win'95 to see if it was corrupted, and no dice. please post her or email: cshoier@sdinter.net thanks in advance! ------------------------------ Date: Fri, 02 Feb 1996 15:53:41 -0500 (EST) From: JOHN A STAVROPOULOS Subject: Norton Antivirus Anygood? (WIN) X-Digest: Volume 9 : Issue 16 I recently purchased Norton antivirus for win3.1 and I am waiting for the upgrades. Is this a quality virus checker ? Are there any problems with this antivirus program that I should know about? Any input wold be apreciated. John ------------------------------ Date: Fri, 02 Feb 1996 21:05:06 -0500 (EST) From: JimBogart@aol.com Subject: Phantom-1 (WIN) X-Digest: Volume 9 : Issue 16 I have a possible reading for Phantom-1 ( in a DLL) reported by VET Anti-Virus Version 8.41 (which is a new demo in my "collection"). I have scanned with F-Prot 2.21, with Dr. Solomon 7.55 and with ThunderByte 6.51 with no virus reported. So far, I seem to be worried about nothing but ???? BTW the possibly corrupted file (DLL) was recently installed as part of a Powerbuilder CD-ROM install and may never have executed. To be safe I booted clean and moved the file to a floppy (DOS copy command) for future inspection before deleting the suspect file. No symptoms on my PC so far. The only thing that seemed odd was that I had first tried to copy the DLL to a floppy while in Windows before the clean boot and Windows had reported that "A Drive Does Not Exist". It seemed a bit spooky to me. Am I worrying about a false positive? ------------------------------ Date: Sun, 04 Feb 1996 03:55:24 -0500 (EST) From: George Wenzel Subject: Re: Wierd Virus report from F-PROT (PC) X-Digest: Volume 9 : Issue 16 In article <0036.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Scott Mitchell wrote: >Last week, I had a wierd experience on my PC. It was doing it's usual >scan thing first thing in the morning and said the follwing message: > >"TEMP.PM5:(garbage) Not a virus - Ludwig_Boo-Bait". The (garbage) is the important part here -- it's saying that the file is a garbage file that some other scanners may identify as a virus. Essentially F-Prot is saying 'this file isn't a virus - don't worry about it'. >Fprot came up with Bait as a virus, so I am guessing that Boo stands for >boot...right? As for Ludwig, it doesn't even exist. Ludwig isn't an it, Ludwig's a he. Ludwig (can't remember his first name) is a virus author and makes his living (I believe) distributing viruses. He produced a CD-Rom containing virus material. >Is this an actual virus? >..it just appeared overnight (literally) Nope. Nothing to worry about. Just delete it. Regards, George Wenzel ------------------------------ Date: Sun, 04 Feb 1996 12:10:31 -0500 (EST) From: Iolo Davidson Subject: Re: HD Corruption with Dr. Solomon's VirusGuard (PC) X-Digest: Volume 9 : Issue 16 In article <0034.01I0U3NT89X2PVGQEE@csc.canterbury.ac.nz> gbv55375@ibmmail.com writes: > By returning to version 4.57 of VirusGuard the problem > disappeared. When version 7.5 was received we tried again and > once again the problem returned. I would just like to point out that version 4.57 was the last one that I worked on before I left Dr. Solomon's employ. So I am unable to help you with the problem (as well as dodging any possible responsibility for it!). The 7.xx series followed 4.xx directly, with the numbers updated to match the Toolkit version numbering as a whole (which is to say, there were no VirusGuard versions 5.xx or 6.xx). > Has anyone experienced this situation? I run VirusGuard with various Netware and Windows configurations and have not experienced any such trouble. There are tons of variables, though. We once traced a serious problem at one site to the fact that the users were adding ">NUL" to the invocation in AUTOEXEC.BAT to stop the initial screen appearing (don't do this with *any* TSR, Guard has the /silent switch for this). Another site was using a third party environment string diddler which wrote to the wrong copy of the environment, overwriting resident software at random. - - NO LADY LIKES ACCOMPANIED BY TO DANCE A PORCUPINE OR DINE Burma-Shave ------------------------------ Date: Fri, 02 Feb 1996 11:38:11 -0500 (EST) From: Mic Chow Subject: V-SIGN (PC) X-Digest: Volume 9 : Issue 16 I have ran across a virus in which McAfee 2.2.6 had named V-SIGN. I have check with VSUM 9512. It has nothing on this virus. What the heck does this thing do? How does it infect things? what's teh scoop on it? Mic [Moderator's note: I don't know offhand exactly what it does but it is a BSI/MBR virus also fairly commonly known as Cansu.] ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 16] *****************************************