VIRUS-L Digest Thursday, 21 Mar 1996 Volume 9 : Issue 39 Today's Topics: Administrivia... (ADMIN) QUESTION: Email Viruses Re: Flash BIOS viruses? AVP for WORD v1.04 Re: Flash BIOS viruses? How to Contact Command Software? Re: Technicalities of scanning Email in multi-OS network?? Re: Technicalities of scanning Email in multi-OS network?? Virus??? Virus Checker for MS Mail Gateway. Re: What REALLY matters in Commercial Anti-Virus Software Mcafee support stinks McAfee Toll-Free Support Re: Flash BIOS viruses? Re: What REALLY matters in Commercial Anti-Virus Software McAfee Dishonesty Removal of Antiexe (OS/2,WIN) Good Mac Virus Software (MAC) Excel Macro Virus (MAC,WIN) Help: Strange blue screen (WIN95) Vshield95 - Problems with Icons etc. (WIN95) Stange 32-bit disk access problem (WIN95) Re: Possible Virus!! (WIN95) AntiEXE triggers McAfee problems? (WIN95) McAfee95 reports McWhale (WIN95) Re: What detects BOZA virus? (WIN95) TBAV says HIMEM.SYS changed (WIN95) One byte added to .EXEs in Explorer (WIN95) 2 byte file size increase (WIN95) NAV 95 PATCH WOES... (WIN95) Scanning MS Exchange e-mail? (WIN) FindVirus 7.57 fails to detect Macro.Word.Xenixos virus ! (WIN) Re: DOS Antivirus software under Windows? (WIN) Dr Solomon - Questions (WIN) Shiftlock Switch (WIN) LAN-based virus protection advice wanted (PC) McAfee VirusScan 95 and Tai-pan virus (PC) Winword/Scanprot/FProt questions (PC) Re: F-PROT, Opinions? (PC) Weird disk problems--virus ?? (PC) Bones Virus (PC) Did Michelangelo Virus Wipe this PC's Hard Drive? (PC) Could this be a virus? (PC) Disabling QEMM's quickboot (was: Re: Student use of PCs) (PC) Strange date probelm (was: Re: Aug, 27 1956 Virus? (MAC)) (PC) _377 or variant (PC) Virus scanners and web browsers? (PC) SAMPO virus (PC) Floppy Disk TSR scan software (PC) AntiExe.a infection from Win95 Workstation? (PC) Help with rabbit virus, please (PC) HELP stoned.michelangelo virus!!! (PC) NRLG Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Thu, 27 Mar 1996 18:45:21 +1200 (NZS) From: Nick FitzGerald Subject: Administrivia... (ADMIN) X-Digest: Volume 9 : Issue 39 Hmmmmm--well, I first posted digest #39 (this one) out a few hours after #38. I've learnt quite a bit about the internals of the listserv since the s/w was updated... I also now know how to fool to post a digest that it thinks it's seen but didn't post out! Again, thanks to the listserv people at Lehigh. Expect an avalanche of catch-up posts over the next 48 hours or so... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83 ------------------------------ Date: Tue, 12 Mar 1996 23:15:21 +0000 (GMT) From: Greg Rice Subject: QUESTION: Email Viruses X-Digest: Volume 9 : Issue 39 I'm wondering, why isn't an email virus possible? I read that no one really needs to worry about loading an email message from a service like AOL or Compuserve and recieving a virus on their home PC. Wouldn't it be possible to write code that is an attached .EXE file and is called into downloading itself by the 'read mail' action of the service provider? I realize that if there was such a code, it would be service provider specific, but it seems plausible. Any responses? ------------------------------ Date: Wed, 13 Mar 1996 10:16:34 +0000 (GMT) From: brian mitchell Subject: Re: Flash BIOS viruses? X-Digest: Volume 9 : Issue 39 >Personnaly I think the whole idea of Flash BIOS on standard MB is a bad >idea. (not talking about portables with lots of fancy powersaving >features) It is an excuse for sending customers beta-versions of hardware. >I've had to upgrade BIOS'es a few times, and I don't think that the >process of updating the BIOS physically was such hard work. I spent much >more time to realize that I needed the BIOS upgrade :-( > >The worst thing that could happen is that they agree on a "Universal Flash >BIOS standard". Then people will start upgrading their BIOS when anything >happens to their system. Then people will make shareware tools to make >your customized BIOS. And people will ofcourse write viruses for them... It's a convienience item. If you _DO_ need a upgraded bios, would you rather wait a week for the chip, have to open your computer, insert it, etc or download some program from AMI or whatever, run it, point on a little upgrade icon (gee, we cant do _anything_ without a GUI, y'know) and presto, be upgraded. The security issues to be delt with, however, are horrific. - - - ----------------------------------------------------------------------- Brian Mitchell brian@unix.geek.net PGP Public Key http://www.saturn.net/~brian/pubkey - ----------------------------------------------------------------------- ------------------------------ Date: Wed, 13 Mar 1996 09:08:08 +0000 From: Keith Peer Subject: AVP for WORD v1.04 X-Digest: Volume 9 : Issue 39 AntiViral Toolkit Pro version 1.04 for Microsoft Word has been released! Detects and disinfects known Word MACRO virus infections. FREEWARE You can obtain the program from: Web: www.command-hq.com/command Ftp: ftp.command-hq.com /pub/command/avp/avpww014.zip Compuserve: GO AVPRO =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Bruswick, Ohio 44212 216-273-2820 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Wed, 13 Mar 1996 11:53:04 +0000 From: "Denis Parslow (Almo Distributing)" Subject: Re: Flash BIOS viruses? X-Digest: Volume 9 : Issue 39 We were talking about limited number of write to the Flash BIOS. Also note that changing the CMOS (adjusting date, wait states, whatever) also causes an update to the ESCD. Oeyvind Pedersen believes that Flash BIOS is a bad idea. Maybe, but... Remember that motherboards are trying to be compatible with technologies that are not existent yet. For example, a board that doesn't support the non-existent K5 is likely to have real problems with market acceptance. However, without actual chips to test with, there are very likely to be tweaks to be made to the BIOS. Also, there are still questions about the PnP standard (sic) that often require updates to work with other peoples' products, which are made to different ideas of this spec. But most of all, remember that PnP requires a Flash BIOS to operate at all. I am not a fan of PnP. I think it is a nice concept, but is at least a year from true stability, and might not be a great idea then. However, PnP is the way the industry is headed. Denis Parslow Engineering Mgr Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Wed, 13 Mar 1996 16:47:54 -0500 From: Evan Rosenbaum Subject: How to Contact Command Software? X-Digest: Volume 9 : Issue 39 Yeah, I realize that this is a no-brainer question. But I checked the FAQ and everyplace else I could think of, and can't find a phone # or a URL. Can anyone throw me a pointer? TIA ------------------------------ Date: Thu, 14 Mar 1996 10:45:31 +0000 (GMT) From: Jan Hruska Subject: Re: Technicalities of scanning Email in multi-OS network?? X-Digest: Volume 9 : Issue 39 >For MIMEsweeper, which runs on NT, to work for us, we would need a cross >platform virus checker that runs on NT. Have you heard of any cross >platform virus checkers? Have a look at Sophos InterCheck client-server approach, info from http://www.sophos.com/ Server a/v s/w available for NetWare, Windows NT, OS/2, OpenVMS, Banyan, Unix etc. Clients available for DOS, Windows, Windows 95, Macintosh. Evaluation copies are available from the www. InterCheck intercepts and checks files as they are unpacked, so it does not matter which packer was used. Some people may find it unconfortable to allow the virus on their system even in packed form, but the virus cannot be activated until and unless it is unpacked into an executable form. This is where we trap it and stop it. The same applies to ZIP, ARC, ARJ, [insert your favourite compression utility here]. ------------------------------ Date: Fri, 15 Mar 1996 19:34:03 +0000 (GMT) From: Ken Stieers Subject: Re: Technicalities of scanning Email in multi-OS network?? X-Digest: Volume 9 : Issue 39 A note as I'm in the middle of converting our enterprise to MSMail. I think I'm going to use Mimetic from Netgain (http:\\www.netgain.se), which runs on NT and allows you to specify a virus scanner for attachments. If it finds a virus, it renames the attached file and adds a comment to the email. It DOESN'T stop the attachment from going to its destination, but it does log everything. I'm using McAfee's NTSCAN right now, though I may create a batch file and have it scan with McAfee's and Dr. Solly's. Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prairie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Fri, 15 Mar 1996 19:33:14 +0000 (GMT) From: Herbert Slaghekke Subject: Virus??? X-Digest: Volume 9 : Issue 39 Can anyone tell me what the following message on my screen means? To see a world in grain of sand, and heaven in a wild flower Hold infinity in your hand And eternity in an hour The virus 16\3\91 I have tried a clean boot disk. but it won't recognise my hard disk. My virusscanner is also unable to access my hard disk. What to do? Herbert Slaghekke ------------------------------ Date: Sat, 16 Mar 1996 16:59:42 +0000 (UNDEFINED) From: Atlantic Lottery Corporation Subject: Virus Checker for MS Mail Gateway. X-Digest: Volume 9 : Issue 39 Is there a product like MIMEsweeper for a MS Mail Gateway. One of my suppliers has sent me the Word Macro Virus through the MS Mail gateway. I would like to protect my system from futher problems like this. ------------------------------ Date: Sun, 17 Mar 1996 02:08:17 +0000 (GMT) From: Robert Michael Slade Subject: Re: What REALLY matters in Commercial Anti-Virus Software X-Digest: Volume 9 : Issue 39 wallewek@cadvision.com wrote: : I've been installing McAfee at client sites lately, and have come to : the conclusion that it has significant problems. Oh, I'm not talking Actually, why the heck *not* technical problems? The company has undergone some serious changes over the past year. They didn't respond to the last call for review copies, so I have no idea how the "red box" version compares to the shareware we all know and ... well ... anyway, can anyone enlighten me? (But I digress.) : The problems is that the average user site doesn't have a hope in hell : of updating their own software and/or data files. Even if they PAY Good point, particularly with some of the fancier network configuration setups. But, as Nick has pointed out in his earlier reply, could the average user update a word processor? : Even if they have a modem, I'll bet dollars to donuts they don't know : how to use it to download software. Or have an Internet account. Or : are willing to download those massive files at low modem speeds at : long distance daytime toll charges. Or can figure out how to apply the : updates. Or have the time to figure all that stuff out, and not screw : it up! Or be willing to use a modem. Modems give you viruses, didn't you know? :-) : All you anti-virus gurus have got it all wrong. Those esoteric : technical arguments, and who's software detects a few more oddball : viruses, really doesn't matter in the workaday world. What counts is : what can be installed and maintained by the typical secretary. All of us got it wrong? Well, I have always gone into detail about how easy or difficult it was to install and operate any given piece of antiviral software, in my reviews. I have tried to be specific as to the type of environment suited or unsuited to each package. I have, in fact, given higher marks to some programs which don't do as good a job at protection, but are easier to use and more informative to the user. : Any recomendations? He insults us, and then he asks for help yet. Huh! OK, a couple of points to ponder. Per Nick's posting, you can't expect it to be *too* easy. Some people just don't get it, regardless. I just got through posting a response to someone on alt.comp.virus who had been trying to help a friend reformat a disk. Unfortunately, they had left an activity monitor operating while they did so. The program, of course, refused to let them do the format. Related to that, remember that the virus problem, although very common, is still an a