VIRUS-L Digest Sunday, 3 Mar 1996 Volume 9 : Issue 34 Today's Topics: Hard drive hardware write protection Virus Damage Statistics What I need in an enterprise-wide scanner Merry Xmas Strain, What are the Symptoms? Re: Flash BIOS viruses? Mac Virus "FNDR ERIK" ?? (MAC) Aug, 27 1956 Virus? (MAC) A Bunch of False-Positives? (WIN95) Re: TBAV 6.51 (WIN95) New Windows 95 virus or joke? (WIN95) Re: What detects BOZA virus? (WIN95) Re: What detects BOZA virus? (WIN95) Re: MY DOCUMENTS folder virus? (WIN95) Windows 3.1 goes blind to icons, dies (WIN) Leap Year date bugs and Michelangelo--Check by Monday (PC) Re: Viruses that damages hardware (PC) Re: Ripper and NYB (PC) Re: What to do with suspected virus? (PC) FORM_D boot sector virus (PC) Help me rid the Stonced Empire Mokney virus (PC) How to boot clean (was: How to remove "Ekaterin" virus?) (PC) "FOOP" sound familiar to anyone? (PC) Re:PC-Cillin AV (PC) PKZ300 Virus (PC) Divide overflow on floppy access (PC) MATURITA virus (PC) Re: Possible Virus? Windows95 (PC) Re: kbug1720 remover or disinfection? (PC) Wordperfect 6.1 Virus? (PC) Problems accessing floppy drive (PC) How to get rid of Stoned Empire Monkey virus (PC) FRENCH readers : read this NOW (PC) Re: DOOM2 DEATH (PC) Re: McAffee Word Virus Utility (PC) Re: Possible Virus? Windows95 (PC) Re: Norton AntiVirus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 28 Feb 1996 09:01:39 -0500 (EST) From: Dave Pearce Subject: Hard drive hardware write protection X-Digest: Volume 9 : Issue 34 I'm looking for information on the following: 1) Is it possible to take a stock IDE or SCSI controller and write-protect the hard disk, i.e., so that all writes fail? 2) Is it possible to take a stock IDE or SCSI hard drive and write protect it? I know some SCSI hard drives have write protect jumpers but I haven't found any in the 200 - 500 meg range. Why do I want to do this? Our company has a "self-service" dedicated virus scanning PC for floppies. I have jumpered the write protect switch for the floppies so I can't infect floppies. I have also installed a TSR that write-protects through software the hard drive but would like hardware protection. Anybody done this or know how to do it? Anybody have a SCSI drive (200 - 500 meg) with a write-protect junmper they want to sell? ------------------------------ Date: Wed, 28 Feb 1996 11:55:45 -0500 (EST) From: Jeff Beaubien Subject: Virus Damage Statistics X-Digest: Volume 9 : Issue 34 I am interested in obtaining statistical information regarding PC virus damage. Examples include: how many viruses are there? what is the estimated amount of financial cost incurred by computer viruses? etc. If someone could provide a reference to an article or book (relatively recent), I would greatly appreciate it. I am presenting a training session on how to avoid/determine if you have a computer virus. Such information would be esstential to "drive the point home" that viruses cause a great deal of financial damage to corporations, universities, etc. Therefore, this information would give the training participants an incentive to apply the knowldege/skills they learned to the actual workplace. Thanks in advance for any help provided. Jeff Beaubien AnarchyX@charger.newhaven.edu ------------------------------ Date: Thu, 29 Feb 1996 18:58:59 -0500 (EST) From: jim@numill.com (Jim Richardson) Subject: What I need in an enterprise-wide scanner X-Digest: Volume 9 : Issue 34 I have been trying for some time to find a viable enterprise virus protection solution. My network consists of Windows NT servers, with Mac and Win 95 clients. Important issues to me are: 1. Real time file scanning of files being read to or from the NT Server, that would include copies not only executes. 2. Scanning of Macintosh files on NT volumes, this seems to be a real problem. Intel did it for NetWare, why not for NT. 3. Virus alerts when either Mac or PC clients execute or copy viruses to or from the server. 4. Selectable prescheduled scans of NT volumes, the Administrator should be able to schedule scans easily and efficiently. 5. Single server management for the NT Server domain, the Inoculan product from Cheyenne seems to do this very well. 6. User friendly clients for Windows 95 and Macintosh. 7. In my opinion I am more concerned with the integrity of the NT File Server first and foremost then the stability of the clients. So far I've looked at Intel VirusProtect, Cheyenne Inoculan, McAfee VirusScan,and Symantics products. I'm trying to get Dr. Soloman, and F-Prot. Has anyone found a solution that answers these issues? [Moderator's note: I'm sure you've thought of this too, but expert opinion is that you shouldn't depend upon just one form of antivirus software in putting your enterprise or corporate AV policy in place. Issues of "layering" different approaches to improve overall protection are discussed in the FAQ and elsewhere.] ------------------------------ Date: Fri, 01 Mar 1996 12:12:56 -0500 (EST) From: Michael D Warner Subject: Merry Xmas Strain, What are the Symptoms? X-Digest: Volume 9 : Issue 34 Recently while running SAM Intercept, 4.0.1, the disc doctor detected a strain of merry xmas virus on Arena of Death v1.3.2 which I obtained from a CD Software of the Month Club. The report says not protected by SAM so I trashed the program. Can I expect any side effects, additional infestations or future problems as a result of this virus and what symptoms does it display? I haven't noticed anything unusual that I'm aware of. Any info would be greatly appreciated. Michael Warner mwarner@embryriddle.k12.az.us Embry Riddle Aeronautical University ------------------------------ Date: Fri, 01 Mar 1996 15:32:34 -0500 (EST) From: "Derek V. Giroulle" Subject: Re: Flash BIOS viruses? X-Digest: Volume 9 : Issue 34 Steven Hoke wrote: >Rodney Korn was heard to say: >> Also it should be noted that every flash bios has an area of >> non-volitile memory which is used to reporgram the chip to a known >> default state by jumpering and and powering. This would allow the user >> to boot and apply the correct flash bios update. >This isn't really true. I've had a flash BIOS fail an update, and had to >have the chip replaced by the system vendor. Some board don't even provide the facility to switch off the flash-rom update A quick check on board in use here confirmed that there is no such switch/jumper - flash roms and board are wide open ... however we're at ease as long as there is no such virus - a prospect I really dislike... (based on murphy's law your see...) Anyway that leads me to another question is there some kind of flash-rom Bios backup/restore utility , if it still helps after an infection ...? This sure is a porsepct I don't like... Dirk.Giroulle@ping.be http://www.ping.be/~ping0010 Life is like a peepshow, through a little window you never get to see what you went in for (based on fvu's definition of panning) ------------------------------ Date: Fri, 01 Mar 1996 19:09:02 -0500 (EST) From: Greg Robb Subject: Mac Virus "FNDR ERIK" ?? (MAC) X-Digest: Volume 9 : Issue 34 I 've been wondering about the file "Desktop FNDR ERIK" for some time. It's been on my hard drive and for a while I thougt it was a possible virus when I was having a lot of screen freezes. I've reformated my hard drives and now it is not on them. Below is the results of a Disk Wizard scan of a few Syquest cartridges and a couple of floppys. As you can see, "ERIK" is on only one of the Syquests and on both of the floppys - it's also on my brand new preformatted floppys. The "ERIK" on the "#4-44MB" has no modification date - and last year when I was investigating "ERIK" as a possible virus, the size, and I think the dates too would change on successive FileBuddy scans for invisable files on both my hard drive and on my floppys. "ERIC" is on some but not all of the commercial floppys I've looked at. Does anyone know about or have this file on their media or drives? Desktop FNDR ERIK 60K 9/10/93 2/29/96 MISC Desktop FNDR ERIK 286 1/19/95 ? GREG #4- 44 MB Desktop FNDR ERIK 286 2/20/96 2/20/96 Untitled Desktop DB BTFL DMGR 44K 3/1/94 2/20/96 SyQuest 1- ROBB Desktop DB BTFL DMGR 20K 3/1/94 2/21/96 SyQuest 2 - ROBB Desktop DB BTFL DMGR 28K 2/7/95 3/24/95 SyQuest 3 - ROBB Desktop DB BTFL DMGR 60K 1/19/95 2/20/96 GREG #4- 44 MB Desktop DF DTFL DMGR 148K 2/7/95 3/24/95 SyQuest 3 - ROBB Desktop DF DTFL DMGR 515K 1/19/95 2/20/96 GREG #4- 44 MB Desktop DF DTFL DMGR 108K 3/1/94 2/21/96 SyQuest 2 - ROBB Desktop DF DTFL DMGR 332K 3/1/94 2/20/96 SyQuest 1- ROBB ------------------------------ Date: Sat, 02 Mar 1996 19:01:30 -0500 (EST) From: Subject: Aug, 27 1956 Virus? (MAC) X-Digest: Volume 9 : Issue 34 Does anyone know of a virus that sets the date & time control panel back to aug 27 1956 when ever you boot up the computer? We have had this computer for many years and it never did that before, but now no matter how many times we change the date it just goes back to aug 27 1956 next time we turn on the computer. I have tried disinfectant 3.6 and gatekeeper 13 but they didnt find anything. Can anyone give me some ideas on what to do next? Thanks, email me at uv923@freenet.victoria.bc.ca Joe Abbott ------------------------------ Date: Wed, 28 Feb 1996 13:28:00 -0500 (EST) From: Pete Turner Subject: A Bunch of False-Positives? (WIN95) X-Digest: Volume 9 : Issue 34 An acquaintance sent me the message below (on her behalf, I apologize for the spelling and grammatical errors). I checked the resources mentioned in the FAQ, and several other AV web sites, but I haven't been able to find anything helpful. I'm also sorry for the dearth of specifics she was able to provide; it seems she panicked and failed to write down all the information the various AV scanners gave her. Based on my limited knowledge, I'm guessing she encountered a couple of false-positives. Is it possible the changes she found were caused by NAV or some other product "inoculating" files? She just installed Win95 over Win3.1 - could previous AV products have modified her files so that they now appear infected to TBAV (this was the first time she used TBAV)? Since the details are so lacking, I guess her question should have be: "is it likely a virus caused this?" FYI - I did confirm the three AV products she mentioned are Win95 compatible and her PC never exhibited any "odd behavior" (other than TBAV flagging most of her executables as infected). Any help or suggestions would be greatly appreciated. TIA. (PS. Sorry this turned out to be so long.) - ---- I ran Thunderbyte AV and it found my .COMs and .EXEs infected. Some contained encryption code. The "high sensitivity heuteristic" option came on for thunderbyte and it began flagging perfectly good .EXEs as infected. I know for sure that some .COMs were infected because one program whose CRC was different was written by me and I haven't recompiled the source for four years. All this time McAfee vshield was oblivious to what was going on. I exited to DOS and ran Norton AV for DOS. It halted the computer after finding "Avisp" in memory. I rebooted, went into DOS and it found another virus in memory. A third reboot revealed nothing in memory or on disk. I momentarily took leave of my senses and began deleting folders (sans recycle bin) whose main .EXEs Thunderbyte said were infected. I sent Sid Meir's Civilisations, MS Office and a few other apps to the great CPU in the sky before sanity returned and I realised I should keep a copy of the virus. It is possible I have removed all traces of it (I hope) but I doubt it. Have you ever heard of such a virus? ------------------------------ Date: Tue, 27 Feb 1996 19:32:43 -0500 (EST) From: Wayne Riddle Subject: Re: TBAV 6.51 (WIN95) X-Digest: Volume 9 : Issue 34 Erik Verreth wrote: >Does anybody knows how I can prevent TBAV to start avery time I boot >my PC?? > >I'm using W95 and already checked the start-up directory... The following is suppose to work for version 7.0, give it a try for version 6.51. Using regedit, find the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Place a ; (semi-colon) in front of the TBAV command line value of the key. BTW, I did send the poster an e-mail, I posted for the information of others reading this. Wayne Riddle riddler@agate.net http://ourworld.compuserve.com/homepages/riddler [Moderator's note: Thanks. A word of warning though--be carefull when using regedit, it can be a dangerous tool in inexperienced hands...] ------------------------------ Date: Fri, 01 Mar 1996 10:52:03 -0500 (EST) From: "Marijn E. Brummer" Subject: New Windows 95 virus or joke? (WIN95) X-Digest: Volume 9 : Issue 34 On Februari 29 (sic!) at night I noticed small icons, depicting some document or device being zapped by a lightning bolt, appearing in the menu bar of the active program in Windows 95. I did not have a screen capture utility so I could not collect its droppings for lab analysis. I turned the computer off and back on and I did not see it again (so far). No damage to documents or disk was immediately apparent. Does anyone know anything about this bug? The boza patch in McAfee's SW did not detect it (but it did not answer its discription anyways). Please let me know if you have anything about this! Sincerely, Marijn Brummer ------------------------------ Date: Fri, 01 Mar 1996 11:04:36 -0500 (EST) From: Jeff Oler Subject: Re: What detects BOZA virus? (WIN95) X-Digest: Volume 9 : Issue 34 news@dub-news-svc-5.compuserve.com wrote: > Which virus scanner can find this virus and can remove it ? Symantec just released a NAV update to detect and clean the BOZA virus (2/22/96). The update can be obtained from ftp.symantec.com (02NAV96C.ZIP). Jeffrey J. Oler Brigham Young University Jeff_Oler@byu.edu ------------------------------ Date: Fri, 01 Mar 1996 11:24:01 -0500 (EST) From: S and S Internationa Subject: Re: What detects BOZA virus? (WIN95) X-Digest: Volume 9 : Issue 34 Dr solomons AVTK will detect and repair Boza for 7.58. For current versions we can supply an extra driver that will also detect and repair it. Paul Simms Tech Support S & S ------------------------------ Date: Fri, 01 Mar 1996 11:24:05 -0500 (EST) From: S and S Internationa Subject: Re: MY DOCUMENTS folder virus? (WIN95) X-Digest: Volume 9 : Issue 34 Sorry, I have no information of a virus of that desciption, it sounds more like a problem with windows95 than a virus. Try defragmented the hard disk to consolidate your free space. Regards Paul Simms S & S Tech Support Date: Sat, 02 Mar 1996 00:37:13 -0500 (EST) From: George Wenzel To: virus-l@csc.canterbury.ac.nz Subject: Re: What detects BOZA virus? (WIN95) In article <0025.01I1UEAXR4OMQKI9KO@csc.canterbury.ac.nz>, news@dub-news-svc-5.compuserve.com wrote: >Which virus scanner can find this virus and can remove it ? I believe that NAV, McAfee 95, and Dr. Solomon's 95 can find and remove the Boza virus, but this really should not be a concern. Boza isn't in the wild, and it isn't expected to be any time soon. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`)Student of Wado Kai Karate (_Y_.)' ._ ) `._ `.``-..-' U of A Karate Club _..`--'_..-_/ /--'_.' ,' HTTP://www.ualberta.ca/~gwenzel/ (il),-'' (li),' ((!.-' PGP Public key available on request ------------------------------ Date: Thu, 29 Feb 1996 23:45:53 -0500 (EST) From: Jim Brady Subject: Windows 3.1 goes blind to icons, dies (WIN) X-Digest: Volume 9 : Issue 34 I'm not one to cry wolf, but here's what happened: First, the background (marble.bmp) disappeared, except for two horizontal strips. Next, couple days later, "Main" and "Accessories" groups disappeared, including some executables that should have been in the \windows directory. One more day, and now all the groups disappeared from the graphical display, and background consisted of tiny black dots over blue. Then I got read errors. Scandisk found some broken chains and crossed files. Norton found lots of compression errors (disk is MILDLY compressed). Any ideas for cures, avoidance would be helpful. (Oh, and I did run McAfee virus scan, dated 1/96. Is there a new plague out there for Windows? Shall we blame it all on compression?) Thanks, all. - - JIm ------------------------------ Date: Thu, 29 Feb 1996 15:22:20 -0500 (EST) From: "Rob Slade, the doting grandpa of Ryan Hoff" Subject: Leap Year date bugs and Michelangelo--Check by Monday (PC) X-Digest: Volume 9 : Issue 34 Mark Brader, SoftQuad Inc., wrote in: >RISKS-LIST: Risks-Forum Digest Thursday 29 February 1996 Volume 17 : Issue 81 > >Subject: Risks of Leap Years and Dumb Digital Watches [quadrennial posting] > >All right now, how many people reading this... > -> saw a previous appearance of this message in Risks 6.34 or 13.21, > -> have watches that need to be set back a day because they went > directly from February 28 to March 1, > -> and *hadn't realized it yet*? OK, I'll admit it. Both of my watches are OK (although one will need to be changed tomorrow), but one of my computers wasn't. Which reminds me that I sent out a warning about the Michelangelo virus last week, and forgot to add that to the warning. Many computers (how many I have no idea) automatically skip from "Wednesday, February 28, 1996" to "Friday, March 1, 1996". It is quite likely that a number of people will fail to notice this, and get hit by Michelangelo on Tuesday, rather than Wednesday, next week. And now, if you'll excuse me, I'll go and check all the digital *clocks* around the house ... ====================== ROBERTS@decus.ca rslade@vanisl.decus.ca Rob.Slade@f733.n153.z1.fidonet.org If you can tell good advice from bad advice, you don't *need* any advice Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) ------------------------------ Date: Tue, 27 Feb 1996 14:58:26 -0500 (EST) From: "Denis Parslow (Almo Distributing)" Subject: Re: Viruses that damages hardware (PC) X-Digest: Volume 9 : Issue 34 [snipping out a nice description on how it could be possible to target a single adapter card, or chipset, or even, sometimes, family of chipsets for damaging the monitor] >This is similar to the "risk" of having a Flash BIOS on your PC. Although >it is possible that such a virus could be written, it doesn't seem >plausible that a virus writer would spend the time to produce a virus that >would, of necessity, be fairly large. > >Compare the number of Video Drivers used with Windows or WIn95 (or OS/2 >for that matter) and you realize that the virus would have to either be >VERY LARGE or the number of cards attacked would have to be VERY SMALL. >Not a very fertile soil for those virus writers (may they all be hung by >close friends) to sow. The problem is that if the person is writing a virus to be malicious, and isn't targetting an AVpackage as in a 'game', this would be a rational way to stage an attack. You can make a virus that acts only marginally slowly perhaps, so that it spreads quickly if not detected. However, if it is spreading through a system without the targetted chip, it wouldn't be noticed (you can determine the chipset through a BIOS call usually, so if it isn't the target, do not react). The only reason to slow it down is if it gets into a network of similar computers with the target, that it might get more than one card. The only drawback to this plan is that the monitor gets damaged, not the card. The same concept would work for FLASH BIOS, although one would probably target a particular BIOS mfgr and chipset, to try to narrow down to systems it would be more likely to succeed on. Perhaps choosing a system maker and a model, and using the BIOS info from there. The fact that it has fewer targets would lend to it being a more 'successful' virus by allowing it more chance to spread before being noticed. Make sense to anyone? Denis Parslow Engineering Mgr Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Tue, 27 Feb 1996 17:14:20 -0500 (EST) From: Cheryl Garfin Subject: Re: Ripper and NYB (PC) X-Digest: Volume 9 : Issue 34 I'm still having trouble with the Ripper Virus. This time it crippled the computer so that you couldn't boot up at all. I was told to boot with a clean boot disk and then run a:f-prot /hard /disinf. What will this do. I tried to do this and it said that it didn't have a virus at all. I need help on this one we have 10 laptops that have both Windows 95 and Windows 3.11 for Workgroups on it. Seems like they are having an awful time with this virus. Cheryl - Technician North Iowa Area Community College [Moderator's note: Ripper is a "data diddler", slowly but surely corrupting the contents of any media written to in infected machines. The existence of such viruses and widespread occurrence of one of them (Ripper) makes good AV precautions an absolute necessity, because if left long enough you may not have unaffected backups to go back to...] ------------------------------ Date: Tue, 27 Feb 1996 17:21:52 -0500 (EST) From: Doug Muth Subject: Re: What to do with suspected virus? (PC) X-Digest: Volume 9 : Issue 34 In article <0040.01I1OVIDD4Q4QKG2H9@csc.canterbury.ac.nz>, Richard and Valerie McKay writes: : Are there any GOOD programs for virus detection and removal that the : average idiot can use, or is this perhaps something that is best left to a : computer tech somewhere? Are the programs available in stores such as : Egghead, for example, or are there some GOOD programs out as shareware? F-Prot is pretty easy to use. It can be found on Simtel mirrors. : Certain things that have happened to my system since last Friday include : misreporting of file sizes (prior to running defrag), resizinge and : redating of many .dll files, sudden lost clusters appearing, most of which : WERE part of programs that I use, altered words in my e-mail configuration : grid for the mailhost on this system (one morning it said mailtsoh or : something similar... no wonder I couldn't connect with the server!). My : e-mail program is now displaying any word with a capital T with the T : immediately under the next letter in the word. Many little irritating : things are happening here! Hmm...looks like massive file corruption. While a virus could be doing this, it may be caused by other things, such as a very buggy program or a conflict between devices. : Also, I was under the impression that viruses were mainly found attached : to executable files... can they actually come over to one's system in a : graphic file, or attached to e-mail these days? In theory, you could use some hex-editing programs and palce a virus in a GIF or similar file, but who would execute a GIF file?? As for the e-mail, an infected program or a document with an infected macro could be attached to an e-mail and sent, but there is no infection as long as the recipient does not execute the program or the macro. Regards, - - - ------| Finger dmuth@oasis.ot.com for - -----| PGP public key and geek code Anti-virus software and utils: | The Transformers fanfiction: ~dmuth/virus/virus.html | ~dmuth/tf/tf.html -=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- ------------------------------ Date: Tue, 27 Feb 1996 21:41:51 -0500 (EST) From: James Paul LaCas Subject: FORM_D boot sector virus (PC) X-Digest: Volume 9 : Issue 34 How do you get rid of the FORM_D boot sector virus? ------------------------------ Date: Tue, 27 Feb 1996 22:02:19 -0500 (EST) From: David Meyer - Osaka IS Office Subject: Help me rid the Stonced Empire Mokney virus (PC) X-Digest: Volume 9 : Issue 34 I found Stoned-Empire-Monkey-B on a Compaq notebook PC hard disk MBR and several floppies' boot sectors (no file infection) a few weeks ago and cleaned it up without great difficulty. Peter Neilley wrote: >I think that even the original boot >diskette that came with my PC is infected as it was not write >protected and I recently booted off of it. The floppy will NOT be infected IF it was not accessed while the virus was resident in memory. That is, if you powered-off the PC, inserted the floppy, and then powered-on to boot, your floppy is safe. >I could use some advise on how to rid myself of this virus >from anyone who has gone through this process. F-PROT detects this virus and removes it from hard disks and (most) floppies. F-PROT was not able to disinfect some floppies with an unusual format (1.2 MB). I disinfected most of these by copying system files from an uninfected hard disk to the floppies (DOS SYS command) in order to overwrite the floppies' boot sector. (I then deleted IO.SYS, MSDOS.SYS, and COMMAND.COM from the floppies as I did not wish to make the floppies bootable.) This removed the virus and left floppies' data files intact. For floppies that were too full to accept system files, I first copied all files from the infected floppy (copy in file units: use DOS COPY command, *NOT* DISKCOPY) to the hard disk of an uninfected system, and then copied the files from the hard disk to a new (clean) floppy. Note that the old floppy remains infected and should NOT be used (disinfection may be possible by reformatting the floppy, but I haven't tried this). >Also, should I be successful in cleaning my system, is it safe to >ever use any of the diskettes I have again, even if they are just >data (and not bootable) disks? Non-bootable floppies ARE infectable and can spread the virus to other PCs. However, if the virus is completely removed from floppy, the floppy again becomes safe to use. Read the FAQ for more details. Sincerely, David Meyer Osaka, Japan ------------------------------ Date: Wed, 28 Feb 1996 04:20:43 -0500 (EST) From: Otto Stolz Subject: How to boot clean (was: How to remove "Ekaterin" virus?) (PC) X-Digest: Volume 9 : Issue 34 On Tue, 30 Jan 1996, Lee Brown wrote on how to prevent a virus from loading when you switch on a machine: > 1. Find a clean (none infected) boot disk. > 2. Switch of the Computer. > 3. Place the disk into the drive. > 4. Switch computer back on. > 5. Run Dos based virus scanner to check memory!! On Mon, 05 Feb 1996 09:32:09 -0500 (EST) Kenneth Albanowski said: > one step is missing from the above list: > 1.5. Bring up the computers BIOS setup screen (usually ESC or DEL while > it's booting) and make sure that it is set to boot drives "A: before C:". Another important step is missing: You have to make sure that the A drive is correctly configured, in the BIOS setup (step 4, below). The correct procedure is: 1. Switch the power off. 2. Insert a Known Clean Boot Diskette into drive A. 3. Switch the power on, and enter the BIOS Setup Menu. (Consult the pertinent user's manual for the specific procedure. If the computer requires to load the setup menu from a disk, you may have to tinker with the hardware before you can boot clean.) 4. In the BIOS Setup Menu, check the specification of drive A, and correct it if necessary. 5. If the BIOS allows to set up the Boot Sequence, specify A as the 1st (or only) drive to boot from. 6. If you are going to remove a MBR infector from your HD, and if the BIOS allows to set up any Boot-Sector Protection (aka MBR Pro- tection), then disable such protection. 7. Store these settings to the CMOS, and leave the Setup Menu; the computer will now be booted from the diskette in drive A. Note: A Known Clean Boot Diskette (required in step 2) is either a DOS distribution disk from a trustworthy vendor, that has been write-protected from its very beginning, or a DOS bootable disk prepared on a computer that has been booted clean, immedeately before the disk was prepared, and write-protected ever since. Good luck, Otto Stolz ------------------------------ Date: Wed, 28 Feb 1996 13:49:52 -0500 (EST) From: Tim Adamec Subject: "FOOP" sound familiar to anyone? (PC) X-Digest: Volume 9 : Issue 34 This seems to be virus-like behavior to me. I've run McAfee (apologies if I can't spell :) against _EVERY_ file on the three drives I have and it comes up negative. Every once in a while a file will be created in my root drive called FOOP. It's a 5 byte file with the text: hiya! Anybody ever seen this before? I've deleted the file and it reappears at a later date, but I can't seem to find which program(s) trigger the "infection". As an aside, I had a _BAD_ cross-linking problem last night shortly after noticing the FOOP file had reappeared. I don't think it's related, but... Thanks for any help! Timothy M. Adamec tadamec@simsci.com tadamec@earthlink.net (please CC tadamec@earthlink.net, my POP account seems to filter out anything with an address remotely like "listserv".) ------------------------------ Date: Wed, 28 Feb 1996 14:56:58 -0500 (EST) From: Bill lambdin Subject: Re:PC-Cillin AV (PC) X-Digest: Volume 9 : Issue 34 "Chengi J. Kuo" writes >But seeing as it's a new retail entrant, we asked VSUM to check its >detection level. While the big names that appear in this forum >register detection levels on the VSUM tests greater than 95%, >PC-Cillin came in at around 80% (Feb results). Jim: PC-cillin is not a new entrant. PC-cillin has been around for years. I do not recommend PC-cillin as a scanner, but I do recommend PC-cillin as a generic A-V program. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Wed, 28 Feb 1996 20:19:02 -0500 (EST) From: Erwin Loewen Subject: PKZ300 Virus (PC) X-Digest: Volume 9 : Issue 34 I suppose this is old news to most of you, but some of my network clients are getting a new posting from NewbieNews listserv about the PKZ300 virus. I've checked CERT and various other sources and nothing new has been listed about PKZ300 anywhere recently. It first showed up around June last year, as I recall. Is there some new threat regarding this virus? Has it been recently posted in new areas? Or is NewbieNews just a little behind the times in getting their warnings out? Or is it just me; maybe because I don't regularly visit this group I've missed a great thread on this very topic a couple of weeks ago? Anyways, any light shed on this will obviously be more than I have now. Thanks for whatever. Erwin Loewen Network Analyst Alberta Education email: eloewen@edc.gov.ab.ca ------------------------------ Date: Thu, 29 Feb 1996 00:34:32 -0500 (EST) From: Johnny Chung Subject: Divide overflow on floppy access (PC) X-Digest: Volume 9 : Issue 34 I am not sure if anyone has experienced the following phenomenon. I disinfected 3.5" HD floppies containing, Urkel or ANTIEXE viruses using McAfee's Win95 virus scan 2.01. It seems to CLEAN it fine, but when I try to access the floppies, it gives me a DIVIDE OVERFLOW error. I've tried it on several machines with the same result. NDD and Disk Editor will not touch it. As soon as the diskette is being accessed, I get the DIVIDE OVERFLOW. Does anyone have any clues as to why this is happening? I am sure I can just go ahead and reformat it, but I would like to know the cause of the DIVIDE OVERFLOW. Thanks in advance. -Johnny ------------------------------ Date: Thu, 29 Feb 1996 02:40:27 -0500 (EST) From: Peter Cingel Subject: MATURITA virus (PC) X-Digest: Volume 9 : Issue 34 I have discovered the MATURITA virus by using McAfee VirusScan. I know nothing about that virus. What should I do to remove that virus from my hard disk and diskets? Please advise soonest! Thanks a lot Peter Cingel cingel@doktor.jfmed.uniba.sk ------------------------------ Date: Thu, 29 Feb 1996 04:20:48 -0500 (EST) From: MARSat Subject: Re: Possible Virus? Windows95 (PC) X-Digest: Volume 9 : Issue 34 Sounds more like you have hit the IDE 520,barrier. Check you controller card if it can support drives larger than 520. If it can't all is still not lost. You will need software support something like Ontrack DriveManager that handles the problem. Of course you can also consider changing your I/O card to one that handle the larger diver volume ( currently up to about 2 Gigabytes, I think ). They are usually called EIDE (Enhanced Integrated Drive Electronics ) card. This may be best as they also are multi I/O that usually have the 16550 UART ( Hi-speed serial port )chips and The EPP ( Enhance Parrell Port) that will improve the proformance of your computer. A key sign is if your modem seems to be too slow, This amy not be the fault of the reception but the older UART serial chip cannot keep up with the moden ( External of course. ) Abdul Sattaur ( MARSat @ aol.com ) ------------------------------ Date: Thu, 29 Feb 1996 09:09:18 -0500 (EST) From: Michael Gurr Subject: Re: kbug1720 remover or disinfection? (PC) X-Digest: Volume 9 : Issue 34 Kbug-1720 is in the Cheyenne Inoculan Software I am running under WinNT 3.51 - I downloaded an evaluation copy & removed a number of Winword.Concept infestations caused by accepting files from a Client. ------------------------------ Date: Thu, 29 Feb 1996 11:08:16 -0500 (EST) From: Joe Marshall Subject: Wordperfect 6.1 Virus? (PC) X-Digest: Volume 9 : Issue 34 I am a technician at a community college and we are having troble with Wordperfect 6.1 for Windows going down. It seems that files are being deleted in Windows as well as other different applicaitons. Windows kernel becomes damaged and parts if not all of Wordperfect become damaged. We have tried that latest versions of McAfees Vshield and Scan and have also tried F-prot, both of which have been very succesful in the past at locating viruses, but neither one of these find any viruses on the computers with the problems. If anyone out there has any info I'd appreciate the help. Thanks ------------------------------ Date: Thu, 29 Feb 1996 11:37:27 -0500 (EST) From: Philipp Stampfu Subject: Problems accessing floppy drive (PC) X-Digest: Volume 9 : Issue 34 I have a problem with my floppy-disk-drive and I think its a virus. Here my problem: If I boot the computer with OS/2: I copy files to a disk and compare them with COMP. Then there are always some files on the disk, wich are different form the original files. These problem does not occur, if I copy the files from the hard-disk to another directory of the harddisk. If I boot the computer with DOS: If I compress files with PKZIP and I copy the file NAME.ZIP to the floppydisk and then back to the harddisk, I can't uncompress the file. And now, why I think its a virus: If I start my computer with a DOS bootdisk, the problem doesn't occur. But I have not found any virus with McAfee. Philipp ------------------------------ Date: Fri, 01 Mar 1996 06:28:54 -0500 (EST) From: Alexander Stanton Subject: How to get rid of Stoned Empire Monkey virus (PC) X-Digest: Volume 9 : Issue 34 I can't get rid of this no matter how hard I try. I've already resigned to repartitioning my harddrive, but I can't even get that to work. The virus loads in before the floppy is activated for booting, and will only boot if the floppy is write-enabled. If it is write- protected it just hangs. Using fdisk or format from an infected disk has no effect. The only way I can get the machine to boot from a clean floppy is to disable the hard drive in the bios. fprot and norton antivirus won't disinfect the drive while the virus is in memory and want a clean boot. So how do I get rid of it? Is my hard drive good for the dumpster? Any help would be appreciated. Alexander Stanton as7@ee.ic.ac.uk ------------------------------ Date: Fri, 01 Mar 1996 10:07:31 -0500 (EST) From: Gerard Mannig Subject: FRENCH readers : read this NOW (PC) X-Digest: Volume 9 : Issue 34 Hi French readers ! This mail is to inform you about the spread of up to 10 viruses from December 95 to nowadays mainly via French BBS channel. Those viruses are called 'WereWolf' and are unfortunately detected by only few AV packages and disinfected by none, except by AVP, as far as I know. Those viruses are both TSR and 'direct action' ones and practically all of them ramdomly wipe out HD sector. currently, mainly BBS SysOps have been hit but, due to AV editors reaction time, some companies began to report WereWolf. I made AVP routines available for all these virus. Please, Email me for further datails. Regards, - --------------------------------------------------------------------------- - ------------ Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm Member of R . E . C . I . F data +33 1 3415-4959 Voice machine +33 1 3072-9443 =-=-=- I do NOT speak for RECIF unless otherwise specified -=-=- [Moderator's note: I'd also draw your attention to an earlier thread on this virus family in digests 11,12,13 and a brief description of each virus in the family in digest 22.] ------------------------------ Date: Fri, 01 Mar 1996 18:49:15 -0500 (EST) From: Kevin Marcus Subject: Re: DOOM2 DEATH (PC) X-Digest: Volume 9 : Issue 34 In article <0017.01I1OVIDD4Q4QKG2H9@csc.canterbury.ac.nz>, Chengi J. Kuo wrote: >>Could some kind soul please tell me details of the DOOM2 DEATH virus. > >Other AV products will call this Taipan.666, which is the CARO name. Just curious - why does scan persist on using a naming scheme which greatly diverges from the rest of the community? Most certainly it improved from the 1.x to 2.x series, but ?? - - Kevin Marcus: http://www.cs.ucr.edu/~datadec CS Dept, U/CA, Riverside: mailto:datadec@cs.ucr.edu Virus-L archives: ftp://ftp.cs.ucr.edu/pub/virus-l OKRA net.citizen Directory Services: http://okra.ucr.edu/okra ------------------------------ Date: Sat, 02 Mar 1996 11:33:34 -0500 (EST) From: Powerless Subject: Re: McAffee Word Virus Utility (PC) X-Digest: Volume 9 : Issue 34 Eric Choiniere wrote: >Does anybody >know how to disable this McAffee utility so that Word works fine again? I have had NOTHING but troubole with my Mcafee product. I bought VirusScan and plan to bring it back for a refund. The virus data base it outdated, and Mcafee will not respond to my inquiries. ------------------------------ Date: Sat, 02 Mar 1996 15:44:42 -0500 (EST) From: Ed Epstein Subject: Re: Possible Virus? Windows95 (PC) X-Digest: Volume 9 : Issue 34 Adam Hughes wrote: > I am having a lot of problems with my system. I am getting weird drive > space results on my File Explorer and System Information (Norton > Utilities95). I have a 850Mb HD partioned in two. My C: drive should > read 430Mbs total disk > > > I don't know if I have some sort of virus or if there is a problem with > Norton Utilities, Windows95 or a some kind of bug. > > If any one has any ideas on what this might be and/or any solutions it > would be greatly appreciated! Just make sure that you are running the most recent Norton Anti-virus files. Check Symantecs Web site...they just posted new releases to the WIN95 anti-virus program on Feb 9th which includes innoculations for the Boza virus. ------------------------------ Date: Sat, 02 Mar 1996 22:25:28 -0500 (EST) From: David Harley Subject: Re: Norton AntiVirus (PC) X-Digest: Volume 9 : Issue 34 Al Kimel (akimel@awod.com) wrote: : b161 writes: : > How does any/everyone rate The Norton Antivirus, for windows or dos and : > any version??? : I'm no expert, so all I can rely on are the various tests that I : have seen. Norton consistently ranks below the the major scanners : available. On number of viruses detected. This isn't the only relevant criterion, though. : Since there seem to be better products available (e.g., : F-Prot, Dr. Solomon's, AVP, Sweep, McAfee), I would personally avoid : Norton and turn to one of the others. Also depends on criteria. : On the other hand, my impression : is that Norton has gotten better over the past year or so (though I'd : like to hear the opinions of the experts on this). ditto * 2 Trouble is, evaluating an a/v package calls for a specialist.... DH ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 34] *****************************************