VIRUS-L Digest Sunday, 18 Feb 1996 Volume 9 : Issue 26 Today's Topics: Re: Virus Calendar Re: A-V Software Trade show Re: Student use of PCs Re: Most infections from commercial software ? Re: Virus Calendar Re: Virus Protection Policy Re: Software evaluation doc needed Real email viruses Death Ray Virus Question Intel Vprotect (NW) Re: When Harry met Sally Orgasm Scene Virus (MAC) Re: Virus Checker for Macintosh (MAC) Microsoft Word automacros (MAC,WIN) Re: Virus affecting memory? (WIN) Re: NYB Virus MAC to PC (MAC,PC) Re: Microsoft Registration Virus (WIN) Re: mcafee problem (WIN) Re: kbug1720 remover or disinfection? (PC) Re: How to remove "Ekaterin" virus ? (PC) Re: LAN-wide antivirus s/w solution? (PC) Re: Virus that damages hardware (PC) Re: KOH in Mainstream Press (PC) Re: Virus that damages hardware (PC) Re: Help on "A" virus (PC) Re: TBAV and v-sum (PC) Happy New Year variant? (PC) Re: DIEHARD (PC) Little Brother 299 - HELP (PC) Re: Help on "A" virus (PC) Re: spartan? (PC) Re: Help on "A" virus (PC) Re: MtE Virus (PC) Cpw Virus (PC) Re: Quality Anti-Virus Programs (PC) Re: McAfee Software how do I obtain? (PC) Help with Monkey Virus problem (PC) Re: Unknown Virus (PC) Re: PS/2 boot sector problems-Virus? (PC) SMEG (PC) Help with Cascade (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sun, 11 Feb 1996 12:53:04 -0500 (EST) From: Graham Cluley Subject: Re: Virus Calendar X-Digest: Volume 9 : Issue 26 In-Reply-To: <01I13TTVRFYQPVIUA3@csc.canterbury.ac.nz> News Group writes: > Does anyone know of a list that contains dates of when known viruses > will be executed? We used to produce an annual calendar of dates when viruses triggered. But one thing you should realise is that viruses are a problem every day of the year, not just the day when they might trigger. Besides which some viruses have payloads which go off *every* day so a calendar is pretty useless for them. Other viruses are not date-related at all. We produced our calendar as a way of raising virus awareness in the officeplace, but we always included a large disclaimer saying "Don't take this seriously.. etc etc". Why do you want a virus calendar anyway? There might be an easier way (or different way) of reaching what your real aim is. If you are really insistent that you need this information drop me a note with your snail-mail address and I'll see if I can still find a 1995 calendar lurking somewhere in the office. If you're lucky I'll throw in a pair of Dr Solomon's Socks as well. :-) Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Sun, 11 Feb 1996 12:53:10 -0500 (EST) From: Graham Cluley Subject: Re: A-V Software Trade show X-Digest: Volume 9 : Issue 26 In-Reply-To: <01I13TTVRFYQPVIUA3@csc.canterbury.ac.nz> Doug Geiste writes: > While surfing looking at AV software pages one day, I came across > a site that had advirtised some sort of AV software tradeshow in the > Washington DC area. Since then, I can't find the page or any information > about it. I remember it was being held April 1st and 2nd. > > Can some one please point in the right direction for information? Sounds like you're referring to the NCSA Internationa; Virus Prevention Conference (IVPC 96) held at the Washington National Airport Hilton, Washington DC, April 1-2 1996. Among the speakers are Jimmy Kuo of Symantec, Dmitry Gryaznov of Dr Solomon's, and Joe Wells of IBM. You can contact the NCSA at: National Computer Security Association 10 South Courthouse Avenue Carlisle, PA 17013 Phone: 717-258-1816 Fax: 717-243-8642 http://www.ncsa.com >From what I've read Dr Solomon's are sponsoring the breakfast, so you know who to complain to if it's no good. :-) Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Sun, 11 Feb 1996 13:47:53 -0500 (EST) From: George Wenzel Subject: Re: Student use of PCs X-Digest: Volume 9 : Issue 26 In article <0002.01I13TTVRFYQPVIUA3@csc.canterbury.ac.nz>, Pat Gannon- Leary wrote: >We're just introducing PCs as public access catalogs in our small >University library. There is a facility on the PAC which allows the >down-loading of booklists etc. to a floppy. Bearing in mind our limited >funds, how do we best protect our PCs from the introduction of viruses - >virus protection software, virus scanner, or what? I'd suggest obtaining a reputable AV program that includes a TSR (or a VxD if your system is under Windows) which will scan every file upon access. As long as there is no way for the user to disable this, it can be a very effective control mechanism, when combined with a daily scan (if you're using a library system, scanning upon startup shouldn't be too much of a bother). Regards, George Wenzel ------------------------------ Date: Sun, 11 Feb 1996 16:07:08 -0500 (EST) From: support@vse.ac-copy.com Subject: Re: Most infections from commercial software ? X-Digest: Volume 9 : Issue 26 >: >Date: Tue, 30 Jan 1996 15:56:44 -0500 (EST) >: >From: Doug Muth >: > >: > Well, I don't have the numbers to back this up, but I believe >: >that the most infections come through commercial packages. Probally >From: David Harley >Don't know about most: some certainly do. David, I completely agree on SOME (I got my "concept" directly from MS-Germany), but I think that saying MOST infections are by commercial packages (as Doug stated) rather misleading, if not dangerous, for it distorts the view on things. Most end-users do not want to be educated about viruses, they just dont want them at all... Of course it is very advisable to scan diskettes in shink wrapped packages, too And I have seen viruses on CD-ROM... But I dont believe that the concept of fear is a good tutor. I believe that every possible risk, no matter how outlandish at first glance, has to be researched and evaluated. I will gladly look at the relevant statistics and see myself corrected: but I will, for now, just not accept the fact that this is the single most common infection source. So, lets have some numbers, anyone? Surely somebody must keep some statistics over this issue. Ciao, Guido ------------------------------ Date: Sun, 11 Feb 1996 22:24:14 -0500 (EST) From: Janis Decker-Frisk Subject: Re: Virus Calendar X-Digest: Volume 9 : Issue 26 news@zippo.com wrote: >Does anyone know of a list that contains dates of when known viruses will be >executed? I do not know of a list, but I do know of a web site that posts a monthly calendar with trigger dates for viruses. Perhaps you can write to the pages author and see if he can direct you to a list. The web site ie: http://galaxy.einet.net:80/galaxy/Engineering-andTechnology/Security/ david-hull/month.jpg the page is put together by David Hull,Phd. His e-mail address is dhull@pomona.edu Janis Decker-Frisk ------------------------------ Date: Mon, 12 Feb 1996 09:51:58 -0500 (EST) From: David Harley Subject: Re: Virus Protection Policy X-Digest: Volume 9 : Issue 26 Samson Luk (gu_jc3@uxmail.ust.hk) wrote: : MR HENRI J DELGER (henri_delger@prodigy.com) wrote: : : breached. Anti-virus security means minimal "privileges" : : for each user, to avoid a virus "epidemic." One infected : : computer is bad enough, a thousand can spell disaster. : : Only those who need full write access privilege, such : : as the Administrator, should be able to access the server : : with write intent. : : Any one tried Spohos' Sweep of Windows NT with InterCheck? This : product actually required the Windows NT Server that running the : anti-virus scanner/monitor to create a directoty with public write : access. Base on the above reason I have great doubt in the : implementation of such a loophole. Oh, I have great faith in the ability of any software manufacturer to implement a loophole. ;-) Without knowing the details, I must admit it sounds a bit worrying, but then it rather depends on what's *in* that directory and whether it constitutes a possible entry-point to other directories. I do know of a mission-critical corporate package which does something rather similar on a NetWare server, which has caused a few twitches. What really matters is less whether the directory has general write permissions (which, after all, you may need to write log files, for instance) than whether the executables have write/modify permissions. It does seem to me, though, that one of the possible reasons for a server network is to be able to back up files to it, so that's one instance where a user without system privileges would, nonetheless, need (limited) write access. David Harley ------------------------------ Date: Mon, 12 Feb 1996 10:02:34 -0500 (EST) From: sysop@command-bbs.com Subject: Re: Software evaluation doc needed X-Digest: Volume 9 : Issue 26 >I am looking for a document, article or whatever that lists, >compares and evaluates (if possible) the current best antivirus >packages for different platforms. If you need unbiased concise information look for the Virus Bulletin published in the UK. The publication is known to be the most respected antivirus journal in the world. Beware tests that are done by computer magazines since they usually do not include large virus zoo's for testing. Keith =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Bruswick, Ohio 44212 216-273-2820 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Mon, 12 Feb 1996 11:29:01 -0500 (EST) From: "A.Appleyard" Subject: Real email viruses X-Digest: Volume 9 : Issue 26 Tom Simondi wrote on Thu 18 Jan 1996 16:48:02 -0500 (EST) (Subject: Re: E-MAIL Viruses.):- > As you might have guessed from the moderator's note, the Good Times "virus" > is but one of the many hoaxes out there in cyberspace. For a freeware > Windows Help-formatted tutorial on viruses and virus hoaxes see the products > page on my home page (see signature for the URL). and various other people similarly. Oh yes they do exist! If you have Word for Windows alias Microsoft Word etc, if your email reader calls Microsoft Word to read email, if an email comes with a Microsoft Word mode attachment which is infected with one of the Word macro viruses such as Concept or Nuclear, you will then find whether or not there is nowadays such a thing as an email virus. [Moderator's note: I'm sure this will likely kick-off a debate about what a "real" Email virus would be like. Some will say what Anthony describes is a non-Email virus being delivered by Email and propagating through a special set of circumstances. Whether this is "general enough" to count as an Email virus or not will then be up for debate. Any takers?] ------------------------------ Date: Mon, 12 Feb 1996 18:19:45 -0500 (EST) From: Jesse P {CCGATE1 C41JPS} Salinas Subject: Death Ray Virus Question X-Digest: Volume 9 : Issue 26 I had a call from a friend regarding whether we had any experience with the Death Ray virus. It did not ring a bell with me; has anyone else has any experience with it? Thanks, Jesse Salinas EDS PC Support C41JPS@DSO.HAC.COM [Moderator's note: As mentioned in the FAQ, it helps (sometimes a -LOT-) if you also report -what- AV s/w tells you a virus name when asking such questions.] ------------------------------ Date: Mon, 12 Feb 1996 10:27:16 -0500 (EST) From: "Alfred.Jilka@cc.geolba.ac.at" Subject: Intel Vprotect (NW) X-Digest: Volume 9 : Issue 26 Could someone comment on this product? We got it delivered with "Manage Wise" from Novell. Somewhere in the documents I found a list of viruses it detects. ~132 BSV and ~3000 fileinfectors. This seems a bit weak. I know there are the usual discrepancies when counting the beasts, but the figure seems a bit low anyhow. The userinterface is not too impressive. We even had to disable it on our servers, as the workload was too heavy for a 486/66 (I know, pretty slow for a server, but the product is still unusable). ################################################################## Geological Survey of Austria - The land celebrating its millenium ! Phone: Fax: Email: +43/1/712-56-74/56 +43/1/713-64-57 jilalf@gbat500.geolba.ac.at +43/1/712-56-74/56 jilka@gbaws4.geolba.ac.at ------------------------------ Date: Sun, 11 Feb 1996 20:18:14 -0500 (EST) From: Fizeek Subject: Re: When Harry met Sally Orgasm Scene Virus (MAC) X-Digest: Volume 9 : Issue 26 In article <0013.01I0WU2LIE4YPVHY7M@csc.canterbury.ac.nz>, Trenton Cladouhos wrote: > My Powerbook 540 seems to be infected with Meg Ryan's fake > orgasm from the movie "When Harry Met Sally." Whenever the > computer wakes from sleep, the audio portion of the scene > starts as well. It may be causing some damage also as I am > having some unexplained crashes and the Volume Info File (as > noticed by Norton Utilities) is often incorrect. > > Has anyone else heard of this virus? Disinfectant does not > identify it. I've heard of an extension, called "power orgasm", I think, that will make a Powerbook do this. It's not a virus, but it is still possible that it is the cause of your crashes. It may be invisible, so you may want to look in your extensions folder with a program that can recognize and manipulate invisible files, such as ResEdit. Just get info on it, remove the invisible flag and delete it. If that's not it, then I can't help you. There are worse scenes to hear all the time, though. Ryan McCullough Roark@dartmouth.edu ------------------------------ Date: Mon, 12 Feb 1996 15:07:04 -0500 (EST) From: Shane Coursen Subject: Re: Virus Checker for Macintosh (MAC) X-Digest: Volume 9 : Issue 26 In article <0014.01I12C7JTDDGPVIUA3@csc.canterbury.ac.nz>, a8101gbb@helios.edvz.univie.ac.at says... >Phillip Steck wrote: >>He can buy a program from MAC WHAREHOUSE called SAM that is made for the >>Mac. The same compant that make Norton Utilities for the Mac makes it. >>I think version 3.5 is the latest Mac version. [snip] > >Latest version of SAM (Symantec Antivirus for Macintosh) is 4.0.7 . Just as an FYI: Be on the lookout for a SAM update in a few weeks. SAM will repair all known Word macro viruses. - - Shane Coursen Symantec Corporation Computer Virus Researcher http://www.symantec.com/avcenter/avcenter.html AntiVirus Research Center CIS: GO SYMWIN scoursen@symantec.com GO SYMNEW US Support: 541-465-8420 AOL: SYMANTEC European Support: 31-71-353-111 Australian Support: 61-2-879-6577 ------------------------------ Date: Sun, 11 Feb 1996 18:18:20 -0500 (EST) From: Joseph Stafford Subject: Microsoft Word automacros (MAC,WIN) X-Digest: Volume 9 : Issue 26 I use the command to disable auto macros in my autoexec macro for Microsoft Word. With this in effect Wizzards will not start automatically. However after a Wizzard is manually started it seems to re-enable auto macros, since other Wizzards will start automatically afterward. ------------------------------ Date: Sun, 11 Feb 1996 09:28:41 -0500 (EST) From: Iolo Davidson Subject: Re: Virus affecting memory? (WIN) X-Digest: Volume 9 : Issue 26 In article <0010.01I13TTVRFYQPVIUA3@csc.canterbury.ac.nz> octaboy@pipeline.com "Octavio Warnock-Graham" writes: > About two days ago I downloaded Win32 from NCSA's website so as to install > Mosaic. Less than 12 hour later I tried to open Word 6.0 and got an error > message saying, "unable to start this application. Insufficient memory." I've had such messages under Win95. I have 16Mb of RAM. The message is essentially not meaningful. In my case it probably meant there was not as much disk space as the system wanted for swapping (I "only" had about 50Mb free). > I have 300 megs on HD and 12 megs of ram. That ought to be enough disk, unless you are using DriveSpace, in which case it is another lie. - - FIRST MEN BUY IT THEIR FRIENDS THEN APPLY IT TO TRY IT THEN ADVISE Burma-Shave ------------------------------ Date: Mon, 12 Feb 1996 06:16:47 -0500 (EST) From: David Harley Subject: Re: NYB Virus MAC to PC (MAC,PC) X-Digest: Volume 9 : Issue 26 ZSO (zso1@voicenet.com) wrote: : I tried to format a floppy the other day on my PC and could not format the : disk. Did I virus scan with McAfee and found the NYB virus, Cleaned it out : okay. However, this really bothered me how the pc got infected. I knew : that I had done left a disk in twice last week while booting up the pc. So : it had too be one of two disks. Not so, unless it was the first time you'd *ever* left a disk in when you booted and you *know* that no-one else had ever done. Otherwise, you don't know for sure *when* you were infected. Thrashing on floppy access doesn't happen every time, something like 1/500 times, I think. : After checking, they both were infected : with the virus. I traced one to a another pc at work, but the pc was : clean, Although I heard that it once had the NYB virus and since had been : cleaned. An interesting coincidence. Do you know *when* it was cleaned? And had all associated floppies been cleaned, too? : The other disk came from a Mac, which was formated using Apple : file Exchange. I had the person who gave me the disk format another new : floppy. And sure enough, he gave me two formated disks and both were : infected. This doesn't add up, not if the Mac user is really using AFE. : I have heard that there is no such thing as a cross platform : virus? Is this true? A matter of definition. Some people regard macro viruses as cross platform. However, if there are cross-platform viruses, NYB isn't one of them. This assumes that emulation doesn't count as cross-platform, of course. : My Mac knowledge is limited. Could the Mac be : infected? Or is it just the Apple file Exchange program that is spreading : this. If it's not running any DOS emulation, there's no way the Mac is infected. The only way AFE could be spreading a BSI is if it's been gimmicked intentionally to format with a contaminated disk image. This is *very* unlikely. : [Moderator's note: Are you sure the Mac owner was not using the FORMAT : command of DOS in a DOS emulator like Soft Windows, -or- otherwise : accessing the diskettes from a DOS emulator after formatting them with : AFE? This sounds feasible, though my recollection of using SoftPC back in the dark ages was that floppy access of any sort was very hit and miss (like having to reboot the machine to get a DOS disk to eject). If the Mac owner is using some kind of hardware emulation, it's even more feasible. : I have seen this before--the "emulated" PC hard drive (which is just a big : file to MacOS) can be "infected" with BSI/MBR viruses by leaving an : infected diskette in the Mac's floppy drive when starting up the emulator : environment. This happens because the emulator, "just like a standard : PC", will try to boot from a floppy in preference to the HD and DOS is : emulated sufficently well that its hard drive can be infected by most MBR : viruses.] I haven't seen this happen, but Insignia emulation is remarkably good. Isn't the 'virtual' MBR attached to the emulated 'drive' rather than to the physical Mac drive, though? David Harley [Moderator's note: The PC "hard drive" under SoftPC/Soft Windows is just a large file to the MacOS that the emulator makes available to "look like" a standard (i.e. BIOS-level) PC hard drive. Under SoftPC/Windows the PC boots DOS just as DOS boots on a PC--if there is no diskette in the first floppy drive the first absolute sector of the first fixed drive is loaded into memory and execution jumps to the first byte of the contents of that sector... What I referred to in my earlier note is observed operation, not some theoretical discussion of what may happen.] ------------------------------ Date: Sun, 11 Feb 1996 15:47:13 -0500 (EST) From: Eduardo Haddad Filho Subject: Re: Microsoft Registration Virus (WIN) X-Digest: Volume 9 : Issue 26 I think I did not explain myself clearly on this subject. What I meant was: 1.- I think Microsoft is the first company to offer an alternative for one to register its software - that's why I chose the heading. 2.- In a recent "Popular Science" magazine, a Microsoft's spokeman (spokeperson?) confirmed that they do snoop your software and hardware. 3.- I believe now that, to be able to do this, this feature must be built in their software. 4.- If this trend goes on, and other companies start offering on-line registration then, (a) they could build the snooping feature in their software too, (b) someone (I do NOT think a company would deliberately do it) could put a virus in your computer using this technique (the capability is there). A disgruntled employee? 5.- Is there any protection against this, other than not registering on-line? Thanks! eduardo haddad filho eureka@omega.lncc.br ------------------------------ Date: Mon, 12 Feb 1996 06:05:21 -0500 (EST) From: "Bob Witham Jr." Subject: Re: mcafee problem (WIN) X-Digest: Volume 9 : Issue 26 cshoier wrote: >all right, i'm at my wits end. > >i tried to create file "t", which i usually do when downloading to use as >a "catch-all" and the system hung, then spewed: > >fatal error has occurred in vxd mcutil(01)+00003515 > >when i check that mcutil, i find it modified 1/02. I search for files >modified that date (oh, i'm using win'95) and find: mcafee viruscan and >virushield. > >now, mcafee hours are the same as my work; does anyone know if >virusshield could cause this? nobody i ask has seen such a >thing...everything else works fine...i did a reinstall of win'95 to see if >it was corrupted, and no dice. > If you are running Windows 95, you need to run McAfee's SCAN95 and Vshield95 (contained in SCAN95) rather than the old DOS programs. Make sure you are not installing McAfee's DOS version of Vshield in your autoexec. That will definitely give you problems. Other than that, we have had no problems with McAfee under windows 95. Bob Witham State of Maine Bureau of Info Svcs ------------------------------ Date: Sun, 11 Feb 1996 12:26:53 -0500 (EST) From: Graham Cluley Subject: Re: kbug1720 remover or disinfection? (PC) X-Digest: Volume 9 : Issue 26 In-Reply-To: <01I13T9JMX4OPVIUA3@csc.canterbury.ac.nz> mail04797@pop.net (Paul Thomas) writes: > I am running into a number of infections with the kbug1720 virus on a > Windos NT (3.1) Advanced Server machine and, though being identified by > McAfee Viruscan, the report indicates that no remover is available for > the thing. > > Is anyone aware of software out there that will remove the KBUG1720 > from a NT v 3.1 advanced server? Please post or email to my > address. Consider the possibility that you have a false alarm. You may like to run some other well-regarded scanners to see if you really do have this virus or a McAfee false alarm. You can download an evaluation version of Dr Solomon's FindVirus for DOS from our website. An NT version is available from our offices (see details below). Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Sun, 11 Feb 1996 12:26:46 -0500 (EST) From: Graham Cluley Subject: Re: How to remove "Ekaterin" virus ? (PC) X-Digest: Volume 9 : Issue 26 In-Reply-To: <01I13T9JMX4OPVIUA3@csc.canterbury.ac.nz> Thanks to Vesselin and Jimmy Kuo for pointing out I had mixed-up Russian Flag (aka Ekaterin) and AntiEXE. It seems my home-brewed database of virus descriptions got mangled when I assigned the wrong alias to Russian Flag and before I knew it I was banjaxed. So, to clear things up, here's a more accurate description of Russian Flag: Russian Flag Aliases: Ekaterinburg, Ekaterin Type: Memory-resident boot and partition sector virus. Affects: Write-enabled hard and floppy disks if the computer is booted from an infected (not necessarily bootable) floppy. File Growth: N/A Description This boot and partition sector virus infects the hard disk when booted from an infected floppy. Diskettes are infected on read access (eg. DIR command). On the 19th August the virus displays a Russian Flag on the screen. This appears to be a commemoration of 19th August 1991 when there was a communist military coup in Russia. The text "Ekaterinburg" can be found encrypted inside the virus. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Sun, 11 Feb 1996 12:26:55 -0500 (EST) From: Graham Cluley Subject: Re: LAN-wide antivirus s/w solution? (PC) X-Digest: Volume 9 : Issue 26 In-Reply-To: <01I13T9JMX4OPVIUA3@csc.canterbury.ac.nz> Clark Dowding writes: > I've got a Netware 4.1 network with Windows 3.1, Windows 95, and DOS > work stations. I want to run some network wide anti-virus software. > > Any suggestions? There are a number of products which have versions available for DOS, NetWare, Windows 3.1, and Windows 95. Dr Solomon's for instance (we also have versions for NT, OS/2, and Unix). You may like to read some of the independent comparative reviews available; you'll find some of these on our website (see below) as well as links to other anti-virus vendors. If you're interested in evaluating Dr Solomon's for NetWare/Win95/etc contact one of our offices on the telephone numbers below and I'm sure they'll be happy to oblige. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Sun, 11 Feb 1996 14:11:49 -0500 (EST) From: Kenneth Albanowski Subject: Re: Virus that damages hardware (PC) X-Digest: Volume 9 : Issue 26 On Wed, 7 Feb 1996, Claus Leth Gregersen wrote: > Well i don't know if any existing virus actually do this, but it is > possible to blow up some monitors with wrong settings of vga registers. > Just look at the warnings about setting up X for linux :) > A friend of mine blew up his monitor while trying to set up mode x > himself. So physical damage on some monitors should be possible. > > /Claus Leth Gregersen. > > [Moderator's note: Another poster has also suggested that the X-Free > documentation mentions the possibility of diong such damage. Is there > someone who is truly a monitor expert who would like to comment on these > suggestions?] Yes, some video cards can attempt to drive some monitors at higher frequencies then the monitors were designed to support. In some cases, this can cause permanent damage to the monitor. However, for this to take place, software needs to know and understand how to program your particular video card, and what the limitations of your monitor are. No virus is likely to have these capabilities. Very few pieces of software attempt to work all of this out. XFree86 _does_ work this out, as that is part of it's reason for existance. So by providing utility, it also provides a minor risk. In any case, damaging your monitor should not be an issue for most multi- sync monitors, and therefore the problem is quite limited, as most PC's are going to be using multi-sync monitors nowadays. (A bit of a technical digression here: video cards and monitors are a bit of a shambles in the PC environment. There is no commonly accepted way for the monitor to inform the PC what it's limitations are, and each SVGA card from a different manufacturer is programmed in a different way. Hence any program like XFree86 that tries to support many video cards and many monitors has a lot of difficult work cut out for it. The only reason DOS and Windows don't have these sorts of problems is because DOS text modes are "lowest commondenominator" that should work on any video card and monitor, and because Windows video drivers are supplied directly by the manufacturer of the SVGA card. XFree86 cannot benefit from either of these techniques.) In summary: the chance of software or a virus damaging your monitor is just about nonexistant, unless you are setting up something like Xfree86. And then the risk is still low. And the XFree86 documentation is _quite_ explicit in warning about the possibility. Once XFree86 is set up properly, the risk is again nearly nonexistant. - - Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Sun, 11 Feb 1996 09:28:44 -0500 (EST) From: Iolo Davidson Subject: Re: KOH in Mainstream Press (PC) X-Digest: Volume 9 : Issue 26 In article <0039.01I13T9JMX4OPVIUA3@csc.canterbury.ac.nz> cjkuo@alumnae.caltech.edu "Chengi J. Kuo" writes: > Having talked directly with the author of this article, he said > that he wrote that article as a farce. Looks like you only found > one area that you thought was funny, though. Spoofs on virus themes always backfire. I don't suppose there is any hope of the people who write them realizing this? - - FIRST MEN BUY IT THEIR FRIENDS THEN APPLY IT TO TRY IT THEN ADVISE Burma-Shave ------------------------------ Date: Sun, 11 Feb 1996 09:29:56 -0500 (EST) From: Iolo Davidson Subject: Re: Virus that damages hardware (PC) X-Digest: Volume 9 : Issue 26 In article <0015.01I13TTVRFYQPVIUA3@csc.canterbury.ac.nz> sjlam1@MFS01.cc.monash.edu.au "Stuart Lamble" writes: > In other words: there may or may not be viruses (virii?) that > damage hardware; There aren't any. > however, it is _plausible_ that somebody could create one that > does damage monitors. Given the fact that there aren't any, I don't agree that it is plausible. Theorising about remote possibilities is just theorising, and does not equal plausibility. I doubt that it even equals possibility. What it is is theorising. - - FIRST MEN BUY IT THEIR FRIENDS THEN APPLY IT TO TRY IT THEN ADVISE Burma-Shave ------------------------------ Date: Sun, 11 Feb 1996 15:31:33 -0500 (EST) From: Glen D Moffitt Subject: Re: Help on "A" virus (PC) X-Digest: Volume 9 : Issue 26 Betty Ann Feeley wrote: > I work in PC Services at Avon Products in Rye, NY and recently 3 > users unearthed the "A" virus on their PCs. We use a Novell > product called LANDesk Virus Protect 2.13 that notifies the user > of the virus name, and location of the corrupted file. All 3 > users attempted to delete the virus with VProtect; upon doing so, > the C drive can no longer be recognized. > > We've called Novell for support; they informed us that they've > never encounted a virus with this name, but that most likely it's > a boot sector virus. We've used Norton Disk Doctor on one of the > infected PCs and although it recovers the boot partition, none of > the files previously saved to the C drive are listed using DIR. > Using the FDISK utility shows one DOS partition on the C drive, > but at only 1% usage, not the normal 100%. The DIR command only > shows 3mgs of total space on the hard drive. > > If anyone has heard of this virus or has any suggestions, please > reply. I would not count on Landesk for much more than detection of common viruses. Just my personal opinion. We're covering our pc's at work with Landesk, because we have the liscences, but are currently evaluating others. In our tests, Landesk's Vscand has on several occasions given false positives of a "Generic" virus (it's term) and the 'ol "readiosys" virus. Plus I was unimpressed with the options it throws at the users when a virus is detected: [D]elete the File, or [L]eave Alone. So they think.."hey, I'd better delete the thing"..boom...crash..... Glen Moffitt glenm@seanet.com ------------------------------ Date: Sun, 11 Feb 1996 16:34:29 -0500 (EST) From: Usenet News Subject: Re: TBAV and v-sum (PC) X-Digest: Volume 9 : Issue 26 On 11 Feb 1996, Wayne Riddle wrote: [...] > Anyway, we have not been able to convince Patricia Hoffman that she > should test a product 'as is'. If you want to see our product tested > in VSUM, feel free to send a complaint to Patricia Hoffman. Where to send complaints? Her address is not shown in any TBAV docs. It sounds like the ThunderByte folks don't care about her tests anyway. :) ------------------------------ Date: Sun, 11 Feb 1996 17:27:26 -0500 (EST) From: Alexander Stuy Subject: Happy New Year variant? (PC) X-Digest: Volume 9 : Issue 26 I boot up one of my PC's and right after checking the floppys it displays the message "c: failure, press F1 to continue". I press F1 and it starts to boot normally but somewhere along the autoexec.bat file (After smartdrv and the mouse driver load, I think at ndd.exe) it bombs out and responds "bad command or file name". So I type out the autoexec.bat file, it now contains one line: mostly strange characters but ends with "Happy New Yr >n". So I copy autoexec.bak over autoexec.bat and reboot, exact same result. I typed out autoexec.bak first, it looks fine. I format a boot floppy on my other pc, copy f-prot v221 to it and boot the suspect pc. F-prot does not find anything. Of course they could be both be infected. Thinking that maybe ndd.exe has gotten corrupted on the suspect pc, I type out autoexec.bak, it still looks fine. I copy it over autoexec.bat. I edit autoexec.bat to take out the call to ndd.exe. Upon trying to save I get a disk error (sector not found). Same if I try to edit autoexec.bak. If I boot with left shift key down and try to run ndd the machine just locks. I would suspect a bad hard drive if it was not for the "..Happy New Yr >n" part of this story. My questions are : Is Happy New Year a virus that can hide itself if it's active upon a scan? Or are there variants that can? Is there any other virus that contains the text "Happy New Yr" that could cause these symptoms? I can rebuild the suspect pc but I run a computer lab at FSU and am worried that if it's an infection other pc's could be infected. My pc at work on which I am authoring this post locked up twice before I could get this out. I run virstop on it so it's hard to see how it could have gotten infected. Is 54,619 bytes the correct size for command.com in Dos v 6.20? ------------------------------ Date: Sun, 11 Feb 1996 20:03:43 -0500 (EST) From: Wayne Riddle Subject: Re: DIEHARD (PC) X-Digest: Volume 9 : Issue 26 Piet Taal wrote: >How do I remove DIEHARD from W95? > >McAFEE 95 sees the virus but cannot kill it. Did you boot from a clean DOS disk (not the Win95 startup disk) and run the program? I have used the DOS version of Scan to remove the Die Hard virus, but that was on a DOS 6.2 system. Wayne Riddle riddler@agate.net ------------------------------ Date: Sun, 11 Feb 1996 23:50:43 -0500 (EST) From: Van VanDyke Subject: Little Brother 299 - HELP (PC) X-Digest: Volume 9 : Issue 26 Has anyone had any experience with a Little Brother 299 virus? McAfee ID'd it, but won't repair it. An fdisk /mbr has no effect. I've never seen this one. Any suggestions? Van VanDyke vandyke@airmail.net ------------------------------ Date: Mon, 12 Feb 1996 00:09:55 -0500 (EST) From: Bruce Burrell Subject: Re: Help on "A" virus (PC) X-Digest: Volume 9 : Issue 26 Betty Ann Feeley (75330.2407@CompuServe.COM) wrote: > I work in PC Services at Avon Products in Rye, NY and recently 3 > users unearthed the "A" virus on their PCs. We use a Novell > product called LANDesk Virus Protect 2.13 that notifies the user > of the virus name, and location of the corrupted file. All 3 > users attempted to delete the virus with VProtect; upon doing so, > the C drive can no longer be recognized. > > We've called Novell for support; they informed us that they've > never encounted a virus with this name, Probably because that wasn't what was reported by LANDesk -- one would *hope* that tech support knows the names given to viruses by their own product. My bet is that you had the "A" variant of some virus -- Monkey.A, perhaps? > but that most likely it's a boot sector virus. Sounds like their tech support is on the ball, then, based on the rest of your well stated report. > We've used Norton Disk Doctor on one of the > infected PCs and although it recovers the boot partition, none of > the files previously saved to the C drive are listed using DIR. > Using the FDISK utility shows one DOS partition on the C drive, > but at only 1% usage, not the normal 100%. The DIR command only > shows 3mgs of total space on the hard drive. There's no guarantee, but at least there's a reasonable chance that the damage done by the virus removal is reversible -- many Boot Sector Viruses keep a copy of the Master Boot Record somewhere on the drive. Consult a data recovery/virus guru, and have him or her replace the MBR on the inaccessible machines. -BPB ------------------------------ Date: Mon, 12 Feb 1996 06:24:36 -0500 (EST) From: David Harley Subject: Re: spartan? (PC) X-Digest: Volume 9 : Issue 26 DDenoncour (ddenoncour@aol.com) wrote: : All of sudden I had no disk space. There is a file in my root directory : called 386spart.par occupying 28,311,552 bytes of my hard drive. I called : Compusa tech support and he thought it was some kind of partition file. (I : never saw it before. It is a hidden or system file - dir /a - to : find it.Then, I called my tech support (DEC for Starion 500) and after : waiting 40 minutes on hold, the tech guy told me he thought I had the : spartan virus. The file date was today and time was 8:39 this : morning...just after I had exited the WWW via AOL. I suggest you review your tech support arrangements. 386SPART.PAR is your Windows swap file. From the a.c.v. FAQ: What is 386SPART.PAR? - -------------------- People are sometimes alarmed at finding they have a hidden file with this name. It is, in fact, created by Windows 3.x when you configure it to use a permanent swap file (a way of allowing Windows to work as if you had more memory than you really do. On no account should you delete it, as it will upset your configuration. If you wish to remove it or adjust the size, do so via the 386 Enhanced setting in Control Panel. However, a permanent swap file usually improves performance on a machine with relatively little memory. The file is not executable as such, and reports of virus infection are usually false positives. David Harley ------------------------------ Date: Mon, 12 Feb 1996 06:36:10 -0500 (EST) From: Graham Cluley Subject: Re: Help on "A" virus (PC) X-Digest: Volume 9 : Issue 26 In-Reply-To: <01I13TTVRFYQPVIUA3@csc.canterbury.ac.nz> Betty Ann Feeley <75330.2407@CompuServe.COM> writes: > I work in PC Services at Avon Products in Rye, NY and recently > 3 users unearthed the "A" virus on their PCs. Are you sure the message did not say " detected a virus" rather than "detected A virus". Either way this is not a regular virus name and I cannot imagine any anti-virus vendor would be stupid enough to call a virus "A" because of all the confusion it would cause. Maybe it was a false alarm? I would recommend scanning with an anti-virus product which does more precise identification. > We use a > Novell product called LANDesk Virus Protect 2.13 that notifies > the user of the virus name, Actually this is an Intel product which gets bundled with Novell sometimes. > and location of the corrupted file. > All 3 users attempted to delete the virus with VProtect; upon > doing so, the C drive can no longer be recognized. Yuck. > We've called Novell for support; they informed us that they've > never encounted a virus with this name, but that most likely > it's a boot sector virus. Complete guesswork on their behalf. I'm really beginning to think that LANDesk was either false alarming or failing to identify a virus correctly. You are now discovering the consequences of these inadequacies. I hope you had a good backup. :-( > If anyone has heard of this virus or has any suggestions, > please reply. The "A" virus does not exist. I don't know why LANDesk gave you that message. Maybe it was using some heuristic method to detect a virus that was unknown to it so it was unable to give a name. Either way it was unable to fix your problem. I would restore from a recent backup and run some of the other good anti-virus products (eg. Dr Solomon's, AVP). If you do really have a virus they will tell you what it is (naming it by name) and will also probably be able to offer you clean-up as well. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Mon, 12 Feb 1996 06:38:06 -0500 (EST) From: Fridrik Skulason Subject: Re: MtE Virus (PC) X-Digest: Volume 9 : Issue 26 In <0010.01I0V99DGEBQPVHY7M@csc.canterbury.ac.nz> Robert Selby writes: >Using F-Prot 221, I have found the MtE virus on a computer >disk I was preparing to send to over 100 other users. What >is the MtE virus and what does it do? How do I get rid of >it? If this is reported in just a single file, and in particular if this is not an executable file, this may well be a false alarm. There have been a few cases in the past of false Mte alarms, and this could be one of them. On the other hand, if this is reported in multiple, executable files, it is almost certainly one of the MtE-using viruses - F-PROT does not identify them properly or disinfect them at the moment, but that feature will be added when we have finished a major revision of the scanner that is currently going on. - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Mon, 12 Feb 1996 07:01:12 -0500 (EST) From: Bob Brown Subject: Cpw Virus (PC) X-Digest: Volume 9 : Issue 26 I have recently contracted the Cpw Virus. I had a look in F-Prot v2.19 at the virus information but it doesn't give me any decent information. Can anyone tell me (please EMAIL me) exactly what it does. Also, how can I receive the latest version of F-Prot via email. I did it last time, but I forgot how I did it. Thanks, - Bob - ------------------------------ Date: Mon, 12 Feb 1996 08:48:17 -0500 (EST) From: Oeyvind Pedersen Subject: Re: Quality Anti-Virus Programs (PC) X-Digest: Volume 9 : Issue 26 As this case directly refer to the Norwegian distributor, I feel that I have to answer this: In article <0025.01I13T9JMX4OPVIUA3@csc.canterbury.ac.nz>, Henrik Stroem wrote: >Well, actually Vesselin, I've been trying to purchase the English >shareware version of F-Prot for years now, without succeeding. Frisk >does not reply, and sales@complex.is says I cannot PAY for the >"shareware" version. They say I ***MUST*** buy the Commercial, >Norwegian, F-Prot Professional (some other product, as you say >yourself). In fact it seems like the "Shareware" version of F-Prot is >not actually Shareware at all. At least not if you are accessing the >Internet from e.g., Norway, or most other countries in the world which >happens to have some agreement with Frisk Software International. This is made perfectly clear in the text that pops up every time you start F-PROT on a norwegian computer. >A couple of years ago (if not more), I advised the University of >Trondheim to purchase a site license for the Shareware version of >F-Prot. It being on the Internet makes it very easy to get upgrades in >a timely manner. It contains a scanner and a resident scanner. Nothing >more. Which is exactly what we want. The scanner. I won't argue on what you want, what you need another matter..... >They followed the instructions that comes with the "shareware" version >of F-Prot, and sent their order, and their money, directly to Iceland. After we already told you