VIRUS-L Digest Wednesday, 21 Feb 1996 Volume 9 : Issue 29 Today's Topics: Re: John Lenon Virus Re: Student use of PCs Re: Math definition of virus? Re: Computer Viruses - A Dying Art??? Re: Flash BIOS viruses? Re: E-mail Viruses Re: Anti-virus information and the great unwashed Re: WWW Virus Scanners Re: Computer Viruses - A Dying Art??? Virus simulator to test against anti-virus software??? Re: Student use of PCs Re: John Lenon Virus Re: Microsoft is shipping Viruses! Re: Death Ray Virus Question Re: Computer Viruses - A Dying Art??? Re: antivirus software for Windows NT? (NT) Re: Intel Vprotect (NW) Re: Intel Vprotect (NW) Problem with MACPPP - Is this a virus? (MAC) Re: Microsoft Word automacros (MAC,WIN) Re: Chavez Virus for Windows 95 (WIN95) Re: Dr Solomons Win95 Install &SNA Client (WIN95) How do I get rid of Windows Sonar Virus? (WIN) Question: Is this a virus? (unwise.exe) (WIN) Re: What do i have? how do i get rid of it? (PC) Re: KOH in Mainstream Press (PC) T.B.A.V (PC) Re: Hooking the `different floppy in drive' condition (PC) How Do I Get Rid of Form_A? (PC) Help...weird keyboard problems possible virus? (PC) Re: LAN-wide antivirus s/w solution? (PC) Boot problems--New virus? (PC) Re: AVPLite (PC) Jackal virus problems (PC) Virus Warning for o2cv06.zip from ftp.delorie.com (PC) Summary: * NEW VIRUS? HELP! * (PC) Backform.2000.a (PC) Re: AntiExe- What are the sysptoms? (PC) Re: Quality Anti-Virus Programs (PC) Re: Help with Cascade (PC) Re: Unknown Virus (PC) Re: AntiExe- What are the sysptoms? (PC) Re: AntiExe- What are the sysptoms? (PC) Re: Disabled floppy--is it a virus symptom? (PC) PC-Cillin AV (PC) Re: Stealth_Boot.C (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sun, 18 Feb 1996 08:13:49 -0500 (EST) From: Iolo Davidson Subject: Re: John Lenon Virus X-Digest: Volume 9 : Issue 29 In article <0002.01I1BRQ6MJ8SQKFBM4@csc.canterbury.ac.nz> netonnow@freenet.edmonton.ab.ca writes: > If anyone has information regarding the John Lenon Virus (possibly > called the John Lenon Logic Bomb), then please inform me by mail. Where did you get this name? Most AV products avoid using proper names (people, places, companies, etc) for viruses, amongst other rules. Who is this "John Lenon" anyway? - - FIRST MEN BUY IT THEIR FRIENDS THEN APPLY IT TO TRY IT THEN ADVISE Burma-Shave ------------------------------ Date: Sun, 18 Feb 1996 10:38:38 -0500 (EST) From: Robert Turner Subject: Re: Student use of PCs X-Digest: Volume 9 : Issue 29 William Pipher wrote: % Pat Gannon-Leary wrote: % > Hope this request is not too basic: I'm (obviously) a novice on this % > list:- % > % > We're just introducing PCs as public access catalogs in our small % > University library. There is a facility on the PAC which allows the % > down-loading of booklists etc. to a floppy. Bearing in mind our limited % > funds, how do we best protect our PCs from the introduction of viruses - % > virus protection software, virus scanner, or what? % % If I was doing it on the cheap or if hard-diskless PC's were not an % option, I'd want to write-protect the hard-drives at the hardware % level if at all possible. Agreed - we use a four stage procedure against hacking on our public access PCs (our P/A OPAC machines are VT220 terminals, so are reasonably secure). 1) The machines are configured to be C: drive bootable only - this is either done through CMOS or by setting the machine so that the floppy disc is drive B: and using ASSIGN. 2) A keyboard disabler is run on bootup so that the machines cannot be crashed before the login prompt appears (all of our public access PCs are login only - there are no 'free access' PCs). The enabler is run just before the login program is run. 3) Dr Solomons' Guard is run as an automatic part of the startup sequence. We have had some minor problems with this recently, but it has solved most of our virus problems in the last few years. 4) The HDDs are split into a C: and D: partition, and the C: partition is write-protected using a software protection program adjusted in house from a public domain version available on the nets. The programs used in parts 2 and 4 are available from: http://www.brunel.ac.uk:8080/~ccusrdt/pc_sourcecode % Regardless, it makes sense to automatically scan for boot-sector % viruses each floppy disk as it is used if you can. These are such a % problem for us that we can never scan too often. This I would agree with 150% - before we invested in a site licence for the Solomons' toolkit we had a major virus attack every fortnight or so (>50 machines infected). Now, we have had one such attack in the last 18 months, and that was due to a mistake by an engineer! Robert _________________________________________________________________________ / | \ | Rob Turner, PC Support | email : Robert.Turner@brunel.ac.uk | | Brunel University | | | London, England | umtsb5/75 | \____________________________|____________________________________________/ ------------------------------ Date: Sun, 18 Feb 1996 12:46:28 -0500 (EST) From: Fred Cohen Subject: Re: Math definition of virus? X-Digest: Volume 9 : Issue 29 Marcelo Hiratsuka wrote: > Does anybody know where can I find a Math definition of virus? F. Cohen, "Computer Viruses", 1986 available for $98 from Management Analytics Also in the appendices to: F. Cohen - A Short Course on Computer Viruses - Wiley and Sons, 1984 Also in Computers and Security - about 1988? -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 ------------------------------ Date: Sun, 18 Feb 1996 12:46:28 -0500 (EST) From: Fred Cohen Subject: Re: Computer Viruses - A Dying Art??? X-Digest: Volume 9 : Issue 29 dtwolan@ibm.net wrote: > Sombody told me that computer viruses are dying. He reasoned: > Since DOS will be over taken by Win95, OS/2, or another > operating system (some day), and assembly language programming is made > for DOS, virus creators have no means to produce destructive code. > > Have I been fed a load of hooey? My gut feeling tells me that this is too > good to be true. You have indeed been fed a lot of hooey. It is not true. > I didn't think assembly is *only* for DOS. If one has the ability > to create viral code surely he can port that code to other operating > systems. Yes - but you don't have to write viruses in assembler. The first experiments with viruses used viruses written in C. Viruses have been written in almost every computer language including in spreadsheet macros, word processing macros, Basic, various assemblers, C, the Unix Shell, the VMS command interpreter, Java, DOS .bat files, LISP, and many other languages. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 ------------------------------ Date: Sun, 18 Feb 1996 12:59:37 -0500 (EST) From: Steven Hoke Subject: Re: Flash BIOS viruses? X-Digest: Volume 9 : Issue 29 Rodney Korn was heard to say: > Also it should be noted that every flash bios has an area of > non-volitile memory which is used to reporgram the chip to a known > default state by jumpering and and powering. This would allow the user > to boot and apply the correct flash bios update. This isn't really true. I've had a flash BIOS fail an update, and had to have the chip replaced by the system vendor. There was no way to get the chip to a "default" state (confirmed by Micron's tech support). Since the BIOS was corrupt, there was no way to boot the system and flash the BIOS. Micron had so many people flash their BIOSes with the wrong update, and end up with a dead system with Micron having to ship out a pre flashed BIOS in each case, they password protected the updates on their BBS. You had to call tech support, and they wouldn't give you the password until they had looked up your system, and determined what update file you needed, to prevent people from corrupting their BIOS's. - - - -==Steve==-- shoke@northnet.org steven_hoke@msn.com ------------------------------ Date: Sun, 18 Feb 1996 13:18:39 -0500 (EST) From: Tom Simondi Subject: Re: E-mail Viruses X-Digest: Volume 9 : Issue 29 VIRUS-L Moderator penned: > VIRUS-L Digest Sunday, 18 Feb 1996 Volume 9 : Issue 26 > [Moderator's note: I'm sure this will likely kick-off a debate about what > a "real" Email virus would be like. Some will say what Anthony describes > is a non-Email virus being delivered by Email and propagating through a > special set of circumstances. Whether this is "general enough" to count > as an Email virus or not will then be up for debate. Any takers?] Well, since it was my message that sparked the comment and moderator's note, I'll take a stab at it; specifically with a quote from my tutorial: "Pure data files (like text messages) do not execute so even if they contain the code for a virus, they cannot cause an infection." "That said, it's important to note that many modern programs have a macro language that allows you to extend the funtionality of the program. Some of these macro languages are very powerful and viruses can be written in the macro language. One example of this is a series of Microsoft Word macro viruses." "It is also possible to encode executable files and transmit them via E-mail. If the executable file is infected, the infection will be encoded along with the file. Just reading the message will not infect your computer, but decoding and running the file in the message might. It's therefore very important to watch the settings on your mail programs. Don't let them automatically decode and run programs in messages. Force the mail program to decode the file and save it so it can be checked with anti-virus software before it is executed." So, I guess we're both right . A straightforward E-mail message cannot be a virus; but E-mail can, under the right circumstances, transmit a virus. My original respose was to a specific question; the above is a more general answer. =-=- Tom Simondi -=-= Visit the Computer Knowledge home page -=-= =-=- http://ourworld.compuserve.com/homepages/ck -=-=-=-=-=-=-=-= =-=- E-mail: 75655.210@compuserve.com -or- tsimondi@slonet.org -= ------------------------------ Date: Sun, 18 Feb 1996 16:55:59 -0500 (EST) From: David Harley Subject: Re: Anti-virus information and the great unwashed X-Digest: Volume 9 : Issue 29 Gamin (gamin@gol1.gol.com) wrote: : This is in response to the "Who needs AV experts?" thread, and especially : to those posters who feel that having to support the panicked ordinary : user is a serious pain, and life was better when only the cogniscenti : could access, understand and use AV materials. I'd be rather interested to know you consider feels this.... : Sure, as Ken suggests, they could read the manual. Some of them even : do. But, most manuals are, i fear, seriously daunting books, that most : people do not understand. I read the manual all the time, and after all : these years, i wonder who writes some of them, or whether they were : translated from some obscure altaic tongue. And, most manuals do not : include information on viruses. So, RTFM is not always a useful response. Reading the manual isn't the issue. Reading the FAQ is. As I've posted previously, it isn't always reasonable to expect a panicked user to read the FAQs. However, it's not reasonable to expect dozens of gurus to respond immediately, or at all, to the 7th request of the week for information on the Good Times hoax.... : What I wish would occur, is that a couple of really good AV companies : would get into bundling arrangements with hardware manuacturers, so that : AV programs and AV knowledge, would come with a system. If not with the : hardware manufacturers, then with a few other non-AV software firms. Nice idea. But who's job is it to start the negotiations? Frankly, what you're talking about is marketing, not virus control. The last time anyone tried anything like this, we finished up with MSAV..... : Speaking of which, I have one. I have never seen the address for : subscribing to the virus-l list actually posted (not all of the messages : get to our feed, I suspect, as we are far abroad from their origins). : So, if the moderator has time, could he post it again. mailto: LISTSERV@LEHIGH.EDU message: SUB VIRUS-L your name I wouldn't dream of saying RTFFAQ...... DH [Moderator's note: Apologies--I'd normally have tacked on a note there with the answer about subscribing that David just supplied...] ------------------------------ Date: Sun, 18 Feb 1996 17:25:27 -0500 (EST) From: Wayne Riddle Subject: Re: WWW Virus Scanners X-Digest: Volume 9 : Issue 29 Rik V Flor/ADD_LAKE_HUB/ADD_HUB/ADD/US wrote: >It looks like McAfee has released a product called "WebScan" which >apparently automatically scans downloaded files for viruses. Any >prevailing opinions on this product or any others of its type that will >most likely be relased? How useful are they if used in additional to a >regular scanning regimen? It might be handy for people that download files and forget to scan them before running them. Howver if you have a memory resident scanner that will takke of this problem. Wayne Riddle riddler@agate.net http://ourworld.compuserve.com/homepages/riddler ------------------------------ Date: Sun, 18 Feb 1996 18:09:48 -0500 (EST) From: Kenneth Albanowski Subject: Re: Computer Viruses - A Dying Art??? X-Digest: Volume 9 : Issue 29 On Tue, 13 Feb 1996 dtwolan@ibm.net wrote: > Sombody told me that computer viruses are dying. He reasoned: > Since DOS will be over taken by Win95, OS/2, or another > operating system (some day), and assembly language programming is made > for DOS, virus creators have no means to produce destructive code. > > Have I been fed a load of hooey? My gut feeling tells me that this is too > good to be true. > > I didn't think assembly is *only* for DOS. If one has the ability > to create viral code surely he can port that code to other operating > systems. Viral code can be written in nearly _any_ computer language, not just assembly. While some types of viruses ("stealth" viruses, in particular) need low-level access to the computer, which usually requires a language like C or assembly, a viable virus can be written in most any language. However, the rest of the argument is also "a load of hooey", as you put it. You can program in assembly for any environment, not just DOS. DOS is still present in the "Windows '95" product, and you don't _need_ assembly language programming to make a virus anyhow. (Though it makes it easier.) Also, viruses are written for Macintoshes and other machines without DOS or an Intel microprocessor. They can still be written in assembly language. Or not, as the author pleases. - - Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Sun, 18 Feb 1996 19:29:59 -0500 (EST) From: "Linh C. Nguyen" Subject: Virus simulator to test against anti-virus software??? X-Digest: Volume 9 : Issue 29 Hello all, I am responsible to testing one of the antivirus software for my project. But I can't figure a way to test it?? How could I tell that the antivirus software pass all critical element?? Is there a way to stimulate a virus on the system, let's say a fake one??? Thanks! Linh Nguyen linhn@cap.gwu.edu [Moderator's note: -Some- information on the issues raised here is contained in various places in the FAQ. Also, Q&A F6--What are "virus simulators" and what use are they?--should be of some assistance, as the simple concept of using simulators to test AV software hides some very\ thorny issues.] ------------------------------ Date: Sun, 18 Feb 1996 20:47:34 -0500 (EST) From: Safetynet Subject: Re: Student use of PCs X-Digest: Volume 9 : Issue 29 Here's one solution achieved with our StopLight security software. It's used quite frequently to clamp down the configuration of public PCs. 1. Set the C: drive to Read and Execute only (in User Trustee Assignments) 2. Add additional Trustee Assignments to allow certain programs to write to data files (e.g. c:\386spart.par) 3. If required, add Read and Write privileges to a data directory, but do not give Execute privileges to that directory. 4. Set "Disable copying EXE and COM files". Additionally, set the boot order to C: first and then A: via BIOS. Various flavors of StopLight (DOS/Win3, Win95/Win3/DOS, OS/2, LAN) can be downloaded from our WWW and FTP sites. Regards, Bob Janacek - Technical Director Safetynet, Inc. - Antivirus, security and network management software http://www.safe.net/safety/ || ftp://ftp.safe.net/pub/safetynet/ Novell Professional Developer, IBM DAP ------------------------------ Date: Mon, 19 Feb 1996 06:10:45 -0500 (EST) From: Graham Cluley Subject: Re: John Lenon Virus X-Digest: Volume 9 : Issue 29 In-Reply-To: <01I1BRQ6MJ8SQKFBM4@csc.canterbury.ac.nz> netonnow@freenet.edmonton.ab.ca writes: > If anyone has information regarding the John Lenon Virus (possibly > called the John Lenon Logic Bomb), You probably mean "Chance" (aka Lennon). Here's a description from Dr Solomon's: Chance.B Alias: Lennon Description: Chance.B is a memory-resident boot sector virus which infects the boot sector of floppy disks and the DOS boot sector of the harddisk. The hard disk's original boot sector is saved in sector 2 of track 0, just after the partition sector (MBR). On the 8th of December the virus plays the Lennon/McCartney tune "Give Peace A Chance" and prints: "All we are saying is give peace a chance (J.Lennon)" This message is encrypted in the virus body and is not visible. John Lennon was killed on the 8th of December, 1980. > then please inform me by mail. I'll email you as well. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Mon, 19 Feb 1996 06:31:35 -0500 (EST) From: Fridrik Skulason Subject: Re: Microsoft is shipping Viruses! X-Digest: Volume 9 : Issue 29 In <0007.01I1BRQ6MJ8SQKFBM4@csc.canterbury.ac.nz> ruben@ralp.satlink.net writes: >Do any person believe that IMPORTANT companies will release virus in >diskettes ??? Of course...thy do all the time....even Microsoft has distributed viruses, just not in this particular case. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Mon, 19 Feb 1996 06:40:36 -0500 (EST) From: Fridrik Skulason Subject: Re: Death Ray Virus Question X-Digest: Volume 9 : Issue 29 In <0009.01I1D2ZN3N7EQKFBM4@csc.canterbury.ac.nz> Jesse P {CCGATE1 C41JPS} Salinas writes: >I had a call from a friend regarding whether we had any experience >with the Death Ray virus. "Death Ray" is not the CARO name of any virus...the one that comes closes is Darkray, but this may be something entirely different. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Mon, 19 Feb 1996 08:21:15 -0500 (EST) From: R Ribeiro Subject: Re: Computer Viruses - A Dying Art??? X-Digest: Volume 9 : Issue 29 In article <0003.01I1DQUH5X6WQKFBM4@csc.canterbury.ac.nz>, dtwolan@ibm.net writes: > Sombody told me that computer viruses are dying. He reasoned: > Since DOS will be over taken by Win95, OS/2, or another > operating system (some day), and assembly language programming is made > for DOS, virus creators have no means to produce destructive code. > > Have I been fed a load of hooey? My gut feeling tells me that this is too > good to be true. > > I didn't think assembly is *only* for DOS. If one has the ability > to create viral code surely he can port that code to other operating > systems. You're absolutely rigth. There's no such thing as a virusproof system -- what can exist is a not so documented operating systems. Assembly programming in Windows is not so dificult -- I have been stduying that... Bye, Rui Ribeiro ------------------------------ Date: Mon, 19 Feb 1996 06:18:33 -0500 (EST) From: Fridrik Skulason Subject: Re: antivirus software for Windows NT? (NT) X-Digest: Volume 9 : Issue 29 In <0015.01I1BRQ6MJ8SQKFBM4@csc.canterbury.ac.nz> Gerry Santoro writes: >I am looking for recommendations on antivirus software for Windows >NT systems (servers and workstations). It appears (at least with >the version we have) that F-Prot does not work with NTFS formatted >drives. Well, the NT version has no problems with them, of course, but the ordinary DOS shareware version should be able to scan files (although it has some limitations...cannot disinfect boot sectors when run under NT)...what happens ? -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Sun, 18 Feb 1996 00:33:05 -0500 (EST) From: WCDove Subject: Re: Intel Vprotect (NW) X-Digest: Volume 9 : Issue 29 >>From: "Alfred.Jilka@cc.geolba.ac.at" >>Date: 18 Feb 1996 02:44:21 -0000 >>Message-ID: <0010.01I1D2ZN3N7EQKFBM4@csc.canterbury.ac.nz> >> >>Could someone comment on this product? We got it delivered with "Manage >>Wise" from Novell. Somewhere in the documents I found a list of viruses Well, after using this product for three years on a routed 200+ node token-ring (Novell 3.11 NOS) LAN in a CAN/MAN environment (using IBM 9595 servers, 50 MHz i486DX, 64 MB, 4 duplexed 1&2 GB SCSI drives), I can say that it's a barely acceptable to marginally ok but not outstanding product. It seems to detect some common virus on PCs (doesn't always ID them correctly, so one needs a personally-owned-licensed AV product for walk-around duties), but I don't much trust it -- it is VERY CHEAP license-wise, and I was informed (when I had the affrontery to question the selection of it for our CAN system without so much as comparison tests) that cost was THE major decision factor. Intel LANDesk/Intel (Trend) VProtect: VProtect.nlm (currently at 213b release) AV nlm. VSCanD.exe (currently v. 3.00 rev. 08) signature-based DOS scanner/remover VScan.exe (currently v. 1.something, old) signature based Windows scanner VPRule (currently v. ?, old) rules-based (supposedly) DOS PC TSR vpn$lpt.xxx (currently, .119) signature/scan string file poor to worse tech support, $30/call after the 60 day free support period. erratic false alarms from VPRule (mostly on WordPerfect for Windows v. 6.1 shared code files and GroupWise executeable). The current VScanD (with current signature files) false alarms on Novell RPrinter.exe (v. 3.75 or 2.75 -- don't recall what the rev.# is-- maybe 3.75, I don't have my notes here at home) with one of the CVEX family if RPrinter is resident or has been resident. [BTW, Intel tech support seems to think the CVEX family of virus are DOS BSV, and suggests that one do an FDisk/MBR, even though more reliable AV scanners give the host machine a clean bill of health.] Does the above help at all? rgds. wcd. [MSCS, LAN support person (when I'm not doing my real job) occasional virus trapper, and perennial writer of technical responses that respond to technical questions rather than syncophantically agree with the originators of the request-for-comment]. ------------------------------ Date: Sun, 18 Feb 1996 22:48:55 -0500 (EST) From: Glen D Moffitt Subject: Re: Intel Vprotect (NW) X-Digest: Volume 9 : Issue 29 Alfred.Jilka@cc.geolba.ac.at wrote: > Could someone comment on this product? We got it delivered with "Manage > Wise" from Novell. Somewhere in the documents I found a list of viruses > it detects. ~132 BSV and ~3000 fileinfectors. This seems a bit weak. > I know there are the usual discrepancies when counting the beasts, > but the figure seems a bit low anyhow. The userinterface is not too > impressive. We even had to disable it on our servers, as the workload > was too heavy for a 486/66 (I know, pretty slow for a server, but the > product is still unusable). This is the server product?..Because we have Landesk (intel product, which is pretty good) we have liscences for vscan, which is the client product you can run at the client or from the server. So we're using that to cover ourselves while we evaluate other products. See a previous message in this group re: Intel's product..really made by Trend Micro Devices, I believe, out of Taiwan. We've had problems running vscand (the dos version) from the server. Some Pentium HP systems flip out during or after the scan, also some older Dells. Also, it's come up occasionally with virus notifications like the "Generic" (it's word) virus, or the "readiosys" virus. Using Mcafee, F-Prot, Dr. Solomon on those did not turn up any virus. So yes, somewhat weak. Does catch standard boot sector viruses, though, so has been useful in cleaning up those. I doubt we'll use it in the long run. Glen Moffitt glenm@seanet.com ------------------------------ Date: Mon, 19 Feb 1996 01:21:13 -0500 (EST) From: Wah Keung Chan Subject: Problem with MACPPP - Is this a virus? (MAC) X-Digest: Volume 9 : Issue 29 I am having the following trouble with the MACPPP: every once in a while the Mac PPP launches by itself and dials to the number for my internet PPP service. Have others experienced the same problem? Is this a virus? Any suggestions will be greatly appreciated. Wah Keung Chan ------------------------------ Date: Sun, 18 Feb 1996 17:27:01 -0500 (EST) From: David Harley Subject: Re: Microsoft Word automacros (MAC,WIN) X-Digest: Volume 9 : Issue 29 Joseph Stafford (stafford@twsuvm.uc.twsu.edu) wrote: : I use the command to disable auto macros in my autoexec macro : for Microsoft Word. With this in effect Wizzards will not start : automatically. However after a Wizzard is manually started it seems : to re-enable auto macros, since other Wizzards will start automatically : afterward. Eek! I hadn't thought of that one. Indeed, a Wizard is simply a template with a .WIZ extension instead of a .DOT which includes an AutoNew macro which calls a StartWizard macro. Thank you for drawing my/our attention to this possible entry-point. Can the vendors who haunt this forum comment on whether this is a real threat and whether, if so, their products do or will address it? David Harley ------------------------------ Date: Mon, 19 Feb 1996 06:24:42 -0500 (EST) From: Graham Cluley Subject: Re: Chavez Virus for Windows 95 (WIN95) X-Digest: Volume 9 : Issue 29 In-Reply-To: <01I1DQUH5X6WQKFBM4@csc.canterbury.ac.nz> Alan Fraser <100437.2552@CompuServe.COM> writes: > This week's "PC Week" in the UK has a report about the Chavez > virus for Windows 95. Does anyone know if this is in the wild, > and if so, is there any AV scanning product that can detect it? The article in the UK edition of PC Week is over-excitable journalistic hype. All the descriptions I have seen of Chavez suggest it is the well known virus Byway (aka Dir.Byway) The PC Week article appears to be inspired by a Reuters news report from Caracas. A nameless Microsoft spokesman is quoted as naming the virus "Chavez" and saying that no anti-virus had been found. Of course, this is nonsense - most anti-virus products worth their salt have been able to detect Byway since Q3 last year. There are other inaccuracies in the PC Week report, including the suggestion that the virus is "deadly". So there's nothing new, nothing to get excited about. It's just a couple of Win95 users in Caracas have been infected by Byway. Big deal. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Mon, 19 Feb 1996 06:30:43 -0500 (EST) From: Graham Cluley Subject: Re: Dr Solomons Win95 Install &SNA Client (WIN95) X-Digest: Volume 9 : Issue 29 In-Reply-To: <01I1DQUH5X6WQKFBM4@csc.canterbury.ac.nz> Mike Taylor writes: > Just got Win95 v7.56 and was appalled to find that the installation > routine uses a *DOS* batch file!! I would think that a Win95 app would > use InstallSheild or something a bit more advanced than a batch file. The installation program for Dr Solomon's Anti-Virus Toolkit for Windows 95 is not a batch file. I think you're probably looking at something else. > The manual I have says that I should type A:\SETUP to install but no > such program exists on the diskettes!! Maybe you're missing a diskette, or you've been sent the wrong diskette by mistake. If you contact our technical support department they'll be happy to investigate (number below). I'm copying them on this email so maybe they'll be able to get in touch with you first. > Anyone else have any views. > > Oh, we have a problem as well, with Microsoft SNA Server Client program. > If Winguard is running then SNA Client will not run. Disable WinGuard > and lo and behold, SNA Client works! Again, our technical support team will be happy to assist with this problem. Sorry for any inconvenience. Our Win95 installation routine certainly isn't a batch file!! :-) Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Sun, 18 Feb 1996 10:42:32 -0500 (EST) From: JJGrahm Subject: How do I get rid of Windows Sonar Virus? (WIN) X-Digest: Volume 9 : Issue 29 My friend's computer has the the Windows Sonar Virus... Anyone know how I can rid him of it? ------------------------------ Date: Sun, 18 Feb 1996 17:45:27 -0500 (EST) From: me Subject: Question: Is this a virus? (unwise.exe) (WIN) X-Digest: Volume 9 : Issue 29 Question...I was cleaning up my hardrive and came across this in my windows directory. I have a TSR virus checker and it's never "shown" anything. I've apparently had this "unwise.exe" file in my Windows directory since May of 95. One of the people I have dcc'ed files with has the same file with the same date/time stamp. We've also downloaded some of the same shareware etc from the net...but neither of us can attribute this file to anything. Can anyone help me and tell me what the heck this is? Thanks Tinker ------------------------------ Date: Sun, 18 Feb 1996 10:54:37 -0500 (EST) From: Steve Glick Subject: Re: What do i have? how do i get rid of it? (PC) X-Digest: Volume 9 : Issue 29 In article <0040.01I0ZP1M7BUSPVIUA3@csc.canterbury.ac.nz>, Dexter Reid wrote: > My computer used to start... it won't start now. it won't >boot from the floppy and the screen is absolutely blank. This is a long shot but if you get absolutely nothing on the screen(black) and no floppy disk activity at all when booting from a floppy you may have somehow clobbered your flash bios and the bios may have to be flashed again with a recent rev. This problem can occur when someone tries to flash the bios with a bios for a different model. Of course you may just have a bad motherboard or as mentioned faulty video card or maybe even a bad power supply. Steve G. ------------------------------ Date: Sun, 18 Feb 1996 03:04:35 -0500 (EST) From: George Wenzel Subject: Re: KOH in Mainstream Press (PC) X-Digest: Volume 9 : Issue 29 In article <0022.01I1D2ZN3N7EQKFBM4@csc.canterbury.ac.nz>, Iolo Davidson wrote: >> Having talked directly with the author of this article, he said >> that he wrote that article as a farce. Looks like you only found >> one area that you thought was funny, though. > >Spoofs on virus themes always backfire. I don't suppose there is >any hope of the people who write them realizing this? I'd have to disagree here. The whole discussion about the mouse-ball virus on alt.comp.virus was quite humorous, and never really backfired. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`)Student of Wado Kai Karate (_Y_.)' ._ ) `._ `.``-..-' U of A Karate Club _..`--'_..-_/ /--'_.' ,' HTTP://www.ualberta.ca/~gwenzel/ (il),-'' (li),' ((!.-' PGP Public key available on request ------------------------------ Date: Sun, 18 Feb 1996 04:41:49 -0500 (EST) From: Vince Gittins Subject: T.B.A.V (PC) X-Digest: Volume 9 : Issue 29 I have read that TBclean executes viruses to check where it is attached to the file. If this is so does that mean a clever virus may be able to exploit this and infect by escaping from the TBclean controlled area of memory.. I ask this because I am using TBAVW at the moment and am concerned if I get an attack, is it safe to use TBclean? ------------------------------ Date: Sun, 18 Feb 1996 10:34:50 -0500 (EST) From: R Ribeiro Subject: Re: Hooking the `different floppy in drive' condition (PC) X-Digest: Volume 9 : Issue 29 Yes, it's possible, but not a easy task. Maybe you should hook INT21h as well. The INT13h will set a flag, and then the INT21h handler would do the work: it's safer this way. There's one big problem: Windows'95. Rules change, and if you want this to work under Windows you got to write a .VXD too. (don't ask me question about the latter please!). Bye, Rui Ribeiro ------------------------------ Date: Sun, 18 Feb 1996 12:24:52 -0500 (EST) From: Greg Barrett Subject: How Do I Get Rid of Form_A? (PC) X-Digest: Volume 9 : Issue 29 I have just installed Windows95, then two days later I installed McAfee VirusScan95 (30-day evaluation copy) and discovered I picked up the Form_A virus. Now I need to get rid of it. I can't figure out how to do it using McAfee. I did try booting from a system disk and running fdisk /mbr as an earlier article recommended, but no effect. Any suggestions? ------------------------------ Date: Sun, 18 Feb 1996 16:28:33 -0500 (EST) From: Joel Elliot Slotkin Subject: Help...weird keyboard problems possible virus? (PC) X-Digest: Volume 9 : Issue 29 Hi...I'm running a PC with win95 and I've been having a problem which Gateway 2000's tech support suggested might be a virus. It started a few days ago. Basically, the keyboard just started generating lots of backslashes at the maximum repeat rate (changing the repeat rate in win95 had no effect). The key appeared fine physically, and still was perfectly responsive. Unplugging the keyboard made it stop. Turning off the computer and turning it back on did NOT, however...on boot-up, the pc speaker started making noises as if the keyboard buffer were being overloaded, and this often prevented win95 from loading properly. This occurred *very* early in the boot process. Unfortunately, I can't remember if it was before or after the hard drive got initialized. The next day or so, everything seemed fine. Then on Friday it happened again-- with the FORWARD slash, this time. At this point, I downloaded McAfee for win95 and F-prot for dos and tried them, but they didn't find anything. Saturday everything was fine. Today, it's happening with DELETE, which is extremely awkward. I tried hitting control-alt-suspend macro and because the delete was going I accidentally rebooted. Then because the delete was still going it activated the CMOS setup. I currently have all my delete keys remapped to other things and am waiting to see what will happen. So far nothing. I would just assume it was a hardware problem except for the semi-systematic way that it moves from key to key. Does anybody have any ideas about this? Please let me know if you need more info on the symptoms. Also, if you have any ideas, I'd appreciate it if you responded by email as well as posting it, just so I'll be sure to catch it. Thanks in advance, sorry to bother everyone if it turns out to be a hardware short-circuit... -Joel Slotkin wooga@uclink2.berkeley.edu ------------------------------ Date: Sun, 18 Feb 1996 20:36:22 -0500 (EST) From: Safetynet Subject: Re: LAN-wide antivirus s/w solution? (PC) X-Digest: Volume 9 : Issue 29 Clark Dowding wrote: > I've got a Netware 4.1 network with Windows 3.1, Windows 95, and DOS > work stations. I want to run some network wide anti-virus software. VirusNet LAN (vnlan.exe) is available for downloading from our WWW and FTP sites. It is based on the F-Prot scanning engine, and includes central control over software distribution and scheduled client events. - ------------------------------- Bob Janacek - Technical Director Safetynet, Inc. - Antivirus, security and network management software http://www.safe.net/safety/ || ftp://ftp.safe.net/pub/safetynet/ Novell Professional Developer, IBM DAP ------------------------------ Date: Sun, 18 Feb 1996 20:39:25 -0500 (EST) From: Eric Asch Subject: Boot problems--New virus? (PC) X-Digest: Volume 9 : Issue 29 My system will not boot into NT or Linux. Dos seems fine. This is only affecting the ide drives that I have. Nt goes through the os loader gets to the blue screen and then dumps with an inaccessible_boot_device. This happened after I restarted yesterday. Linux gave me a message about "no bios32 extensions present". Dos loads fine. Mcafee (jan. dat file) found nothing. Please help! Thanks in advance, Eric waxxworx@panix.com ------------------------------ Date: Sun, 18 Feb 1996 23:06:55 -0500 (EST) From: Iolo Davidson Subject: Re: AVPLite (PC) X-Digest: Volume 9 : Issue 29 In article <0036.01I1DQUH5X6WQKFBM4@csc.canterbury.ac.nz> mccloyj@aol.com "McCloyJ" writes: > I have a virus with f-prot doesn't detect. How do you know? - - FIRST MEN BUY IT THEIR FRIENDS THEN APPLY IT TO TRY IT THEN ADVISE Burma-Shave ------------------------------ Date: Mon, 19 Feb 1996 01:06:50 -0500 (EST) From: Arthur McMahon Subject: Jackal virus problems (PC) X-Digest: Volume 9 : Issue 29 Recently were I work, we ran into the Jackal vrus. I believe that it had an "3118" extension. We tried McAfee 2.29, F-PROT 2.21, and Dr. Soloman's < I don't remember the version>. All three faileed to remove it. Even from a clean boot, each would clean the virus. But on additional scans it would re-appear. This was fustrating. Finally we fdisked the hard drive recreated the partion, formatted it and then uesd the /MBR on fdisk again. Is there an easier way to deal with this virus??? One not is that at least one scanner reported that it was an "unknown" variant of Jackal. Also Dr. S. renamed the infected file as "command.vom". We deleted it and rescanned. It had infected a different file, FORMAST this time. And yes the A/V disked we used were scanned REPEATEDLY after this. with several additional A/V scanners, all the disks showed clean. So any suggestions??? * artmc@nb.net * ------------------------------ Date: Mon, 19 Feb 1996 03:17:08 -0500 (EST) From: "A.Appleyard" Subject: Virus Warning for o2cv06.zip from ftp.delorie.com (PC) X-Digest: Volume 9 : Issue 29 dj@delorie.com (DJ Delorie) sent to the DJGPP email group (djgpp@delorie.com, about Gnu software) (Subject: Virus Warning for o2cv06.zip):- Anyone who downloaded o2cv06.zip from ftp.delorie.com should DELETE it immediately, and any copy of cwsdpmi.exe that came with it. For safety, I recommend deleting ALL copies of cwsdpmi.exe on your system and re- downloading the cwsdpmi zip from an official DJGPP ftp area. The cwdpmi.exe in o2cv06.zip has a very nasty virus in it, and appears to have been placed on purpose by someone pretending to be from the Trax team (please don't send mail to Trax!). The virus escapes most virus scanners except very up-to-date ones. DJ ------------------------------ Date: Mon, 19 Feb 1996 04:29:12 -0500 (EST) From: "Trevor D. Rotzien" Subject: Summary: * NEW VIRUS? HELP! * (PC) X-Digest: Volume 9 : Issue 29 Thanks to: T. Jones tjones@newrock.com Anders Skoglund a-skoglund@gallivare.se Ken Stieers kens@ontrack.com Bob Charles mode@primenet.com David Harley harley@icrf.icnet.uk Nagy Ferenc Laszlo NFL@labor.obuda.kando.hu Neil Greenberg greenbn@piper.pwgsc.gc.ca Tilman Bohn tbohn@aixterm1.urz.uni-heidelberg.de Brad Konopik konopik@konopik.austin.ibm.com Stacey bikeskii@fc.net Mark Gibb GibbMD@eaglecrest.ksc.nasa.gov Nick FitzGerald (comp.virus FAQ Maintainer) Thanks for all the feedback. There are many generous people on the Net! Shortly after I posted my original note, I located the comp.virus FAQ. Very nice piece of work! Through that, I was able to deduce that my computer was infected with a boot sector virus. The FAQ also contained a simple procedure to get rid of it. It also educated me as to how to use virus scanners / disinfectors correctly. Highly recommended, and my gratitude to the maintainer, Nick FitzGerald. Most of the notes I received confirmed what I had read in the FAQ, though a few offered some misdirection. Moral: always get at least a second opinion. Bottom line is that the nasty symptoms my computer was showing are now gone, and I am a more cautious and better equipped PC user... - ------------------------------------------- Trevor D. Rotzien - ------------------------------------------- IBM European Petroleum Application Centre Postboks 585 Madla 4040 Hafrsfjord tel: +47-51-87-70-65 Norway fax: +47-51-87-23-20 - ------------------------------------------- email: trevor@epac.norway.ibm.com Check out IBM EPAC and the PetroBank project at http://www.epac.norway.ibm.com:80/epac/ - ------------------------------------------- [Moderator's note: Much as they are appreciated, I don't usually post thank-you notes, mainly for bandwidth reasons. I have approved Trevor's however, because he sings the praises of the FAQ which is gratifying to hear (and I'm sure I speak for all FAQ contributors there!) -and- as it was an unprompted recommendation, maybe others who haven't read it will now consider looking at it... ftp://cs.ucr.edu/pub/virus-l/vlfaq200.txt ..in case you're not sure!] ------------------------------ Date: Mon, 19 Feb 1996 06:02:56 -0500 (EST) From: Stephen Cohen Subject: Backform.2000.a (PC) X-Digest: Volume 9 : Issue 29 I'm hoping someone can help me. McAfee 2.2.6 has identified that I have Backform.2000.a in two of my files. I posted a request for help on McAfee's BBS, but have not heard back so far; I admit to being a little impatient - it's only been 24hrs. McAfee 2.2.6 can't remove it. Any suggestions? If I am able to remove it, how can I prevent it from happening again? Thanks in advance. P.S. Next time I get a virus, how do I get more information on it; I looked through the previous postings (subject to availability) and saw nothing on this. ------------------------------ Date: Mon, 19 Feb 1996 06:35:18 -0500 (EST) From: Graham Cluley Subject: Re: AntiExe- What are the sysptoms? (PC) X-Digest: Volume 9 : Issue 29 In-Reply-To: <01I1DQUH5X6WQKFBM4@csc.canterbury.ac.nz> Robert Hiscock writes: > Has anyone had any experiance with AntiEXE? If so can you tell me what > the symptoms are. My virus scanner picked it up on some of my floppies > but I didn't seem to be having any problems with my computer. Which anti-virus product are you using? Here's a description of AntiEXE from Dr Solomon's: AntiEXE Aliases: NewBug, D3. Type: Memory-resident boot and partition sector virus. Affects: Write-enabled hard and floppy disks if the computer is booted from an infected (not necessarily bootable) floppy. Some EXE files. File Growth: N/A Description This boot and partition sector virus infects the hard disk when booted from an infected floppy. Diskettes are infected on read access (eg. DIR command). When a certain (unknown as yet) EXE file is being executed or read from a disk (eg. using the COPY command) the virus patches the first byte of the in-memory file image, thus causing unpredictable errors. In most cases the computer hangs. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Mon, 19 Feb 1996 06:36:51 -0500 (EST) From: Fridrik Skulason Subject: Re: Quality Anti-Virus Programs (PC) X-