VIRUS-L Digest Saturday, 6 Apr 1996 Volume 9 : Issue 42 Today's Topics: Virus signatures What is OJ Virus? What does it do? Re: QUESTION: Email viruses Why I abandoned McAfee RE: McAfee Dishonesty Re: Contacting Command Software Is MEANING.EXE a Trojan horse? Re: Macafee support stinks Re: Flash BIOS viruses? Unix Virus Scanning Software? (UNIX) Virus scanning tools running on Unix? (UNIX) vlad the impaler (MAC) concept virus on macintosh (MAC) Possilbe new virus? (WIN95) 32-bit Win95 virus? (WIN95) Junkie.MBR or other unknown virus appends command.com (WIN95) NAV upgrade hidden files (WIN95) 386SPARTN.PRN and Win 95 boot sector modification (WIN95) Drive Space 3 Problems (WIN95) Re: TBAV says HIMEM.SYS changed (WIN95) Bytes added to files (WIN95) Viruses from kids floppies - How I stopped them... (WIN) virus effecting winhelp.exe? (WIN) "loading bootstrap" message (PC) Does somebody know 'Partitori-B'? (PC) Re: Ripper virus (PC) Cmos-corrupting Virus (Monkey?) (PC) Re: Anti exe virus (PC) Re: MS Macro Virus Tool (PC) Re: CONCEPT/Word Perfect macro: really no cure? (PC) Re: CONCEPT/Wordperfect macro:really no cure? (PC) Re: Neuroquila (PC) how to get rid of Urkel (PC) Re: Anti exe virus (PC) Re: Neuroquila (PC) Re: WelcomB Virus (PC) Re: F-PROT, Opinions? (PC) Re: Neuroquila (PC) Netscape virus? (PC) Theta virus ..... anybody got solutions??? (PC) Jerus X (PC) Re: Michelangelo recovery methods (PC) 634K of RAM--virus? (PC) anticmos?? Help (PC) McAfee Scan 2.3.0. Genuine? (PC) LAN infected with FORM? (PC) HELP stoned 4 virus (PC) Dr Solomon's 7.58 available for download (PC) Residual effects of a virus? (PC) Doom2 Death virus question (PC) Lost Harddrive (PC) Re: Bones Virus (PC) Re: Virus??? (PC) Re: Virus??? (PC) FindVirus 7.58 fails to detect Macro.Word.Xenixos virus (PC) Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC) F S Virus - Anybody??? (PC) Re: Anti exe virus (PC) Re: Need Help With a virus called SCRMING.FIST.II.652 (PC) Re: Virus??? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Fri, 22 Mar 1996 21:14:49 +0000 (GMT) From: James Kruger Subject: Virus signatures X-Digest: Volume 9 : Issue 42 I was wondering if there is a library of virus signitures. I have a couple virus scanners that allow you to add signitures to look for and I wish to update the files. Please reply to "jkruger@ucg.com". Thanks and sorry if this question has been asked befor. [Moderator's note: This question is often asked and the reasons it is a poor idea are covered in the FAQ.] ------------------------------ Date: Tue, 26 Mar 1996 10:03:08 +0000 (GMT) From: Mark.Trayling@otis.netspace.net.au Subject: What is OJ Virus? What does it do? X-Digest: Volume 9 : Issue 42 What does the OJ Virus do? ------------------------------ Date: Wed, 27 Mar 1996 13:49:00 -0600 (MDT) From: DONNY@iris.co.il Subject: Re: QUESTION: Email viruses X-Digest: Volume 9 : Issue 42 > I'm wondering, why isn't an email virus possible? I read that no one > really needs to worry about loading an email message from a service > like AOL or Compuserve and recieving a virus on their home PC. If an email service allows the email to contain "automatic execution" code then it is definitely possible to attach code to email and cause a lot of trouble. Basically, it is recommended not to use any email reader that automatically runs code. The situation is bad enough when someone sends you a file and says "run this, it is a cute program that displays a Christmas tree" in which the file has more than that. At least this "trick" will not work with those who are suspicious about any incoming mail. When the mail is executed automatically (when read) the situation is worse since you have no control over what is happening. > Wouldn't it be possible to write code that is an attached .EXE file and > is called into downloading itself by the 'read mail' action of the > service provider? Most email systems don't automatically run email when the email is read. BTW, the executable being run doesn't automatically mean that it is a virus (or worm). It can also be a trojan horse. Donny Gilor (Dr. Virus) donny@iris.co.il - ----------------------------------------- Development manager, Iris Software (Israel) Tel: (972)-3-9221280 Fax: (972)-3-9228060 ------------------------------ Date: Tue, 26 Mar 1996 15:57:18 +0000 (GMT) From: The Toad Subject: Why I abandoned McAfee X-Digest: Volume 9 : Issue 42 I subscribed to McAfee and was supposed to get free updates, via downloading .dat files, for 2 years. That was less than a year ago. Two months ago, they stopped letting me download the .dat files without a password and some other ID number, neither of which they had given me. I have sent several e-mail requests for help to "support." All have been ignored. I called the 800 number, was put on hold and then cut off. Twice. Finally, I decided to go with a different vendor. After research, I picked S&S (Dr Solomon). I signed up, and they delivered the software THE NEXT DAY!! I haven't installed it yet, mainly because they want me to boot from my original DOS floppy, and I need to find that first. But, the installation looks easy and those I asked said that the updates arrive by snail mail as scheduled, regular as clockwork. I also use F-Prot (the freeware version), and have updated that that twice, without incident. Frankly, I think that McAfee (described as the 700-lb gorilla of virus protection) is terminally ill, and I don't intend having anything further to do with them. Toad ------------------------------ Date: Wed, 27 Mar 1996 08:40:22 -0600 From: Duane Franklet Subject: RE: McAfee Dishonesty X-Digest: Volume 9 : Issue 42 hunterj@nethost.multnomah.lib.or.us writes: >After finally locating and downloading the updating .dat files, which were >supposed to be provided to me free for two years as a registered user, >they disabled the Vshield. McAfee support, such as it is, did not respond >to two email messages, nor to a telephone call. I agree with your frustration completely and it mirrors my own experience. I know McAfee folks read this list (although probably not the ones responsible for this decision/implementation). Please forward these signs of discontent to those appropriate at your company... The "Out of memory" message is inexcusable. I can't imagine how many people have had to sit there, tweaking memory config, thinking, "Ah, there must be too many virus signatures. The DAT file's too big. I can get this to work..." Dr. Solomon, FPROT, here comes business... DFranklet@uh.edu ------------------------------ Date: Wed, 27 Mar 1996 08:43:09 -0600 (GMT-0600) From: Georgina Kisling Subject: Re: Contacting Command Software X-Digest: Volume 9 : Issue 42 Hope this is what you're looking for: Command Software Systems, Inc 1061 E. Indiantown Road Jupiter, FL 33477 USA +800 423-9147 +407-575-3200 +407-575-3026 FAX sales@commandcom.com http://www.commandcom.com Gina - --- Georgina Kisling Voice: +501 2 30256/32733 Computer Specialist Trainee Fax : +501 2 30255 University College of Belize Box 990, Belize City, BELIZE Email: gina@ucb.edu.bz ------------------------------ Date: Wed, 27 Mar 1996 14:56:12 +0000 (GMT) From: Anthony Garcia Subject: Is MEANING.EXE a Trojan horse? X-Digest: Volume 9 : Issue 42 I noticed the file MEANING.EXE being forwarded around our mail system yesterday. Supposedly it will display a humorous message when executed. I did a Dejanews search and found an article from Glen Benson (benson@xroads.com) posted to alt.med.fibromyalgia on February 23rd indicating that MEANING.EXE may be a trojan horse or may be infected with a virus. Has anyone else seen this program, and does anyone know of any possible harmful behavior it may exhibit? Thanks, -Anthony Garcia agarcia@neosoft.com ------------------------------ Date: Wed, 27 Mar 1996 10:43:56 +0000 From: "Denis Parslow (Almo Distributing)" Subject: Re: Macafee support stinks X-Digest: Volume 9 : Issue 42 >I bought VirusScan 95, and my current version recognizes me as a >licensed user. Whenever I try to update it from FTP site, I get a >"thank you for evaluating message" when I run the updated version, and >it no longer recognizes me as a licensed user. Over a month period, I >have sent four emails to support@mcafee.com, without response. I'm >ready to dump the program and try Norton. Any suggestions? I am sure I won't be the only person to tell you this, but the products you are downloading *are* evaluation copies. This is why you get that message. If you want to use your licensed copy, you need to update *only* the data file, and may need to get a version update periodically anyway. Denis Parslow Engineering Mgr Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Wed, 27 Mar 1996 10:43:56 +0000 From: "Denis Parslow (Almo Distributing)" Subject: Re: Flash BIOS viruses? X-Digest: Volume 9 : Issue 42 Pavel Machek writes: >I don't think so. In my computer, there's an Ami WinBIOS, which has >windows etc. Only small part of bios is that which deals with floppy. (And >that is the only part needed for upgrading FlashBIOS). So I believe, that >even with flash bioses there's a small ROM part that allows you to reread >Flash BIOS from floppy. Actually, WinBIOS is called that merely because it has a GUI. It contains no part of Windows whatsoever. Derek was very correct when he tells you that if something bad happens flashing your BIOS, you are cooked, and need to replace the chip. (Not that this is getting off the subject of viruses or anything ;-) The BIOS needs more than the floppy drive to update itself: it needs the CPU, the memory, the flash software, the floppy drive, and the video at a minimum. If the BIOS provides the flash software (I have never heard of this), then you need the CMOS BIOS program (WinBIOS is particularly large) itself. Otherwise, you need to be running at least some sort of rudimentary OS. When the flash program warns you "DO NOT TURN OFF POWER WHILE PROGRAMMING", this is a hint that if you do, you will need a new BIOS chip. Denis Parslow Engineering Mgr Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Sat, 23 Mar 1996 21:52:39 -0500 (EST) From: Charles Henrich Subject: Unix Virus Scanning Software? (UNIX) X-Digest: Volume 9 : Issue 42 I've been scouring the net for the last hour or so and have yet to come across any mention of scanning software for unix systems. Does such a beast exist? Im looking for a program that will go through a directory and unzip zip files, un-tar tarfiles, and scan for Mac/PeeCee virus. All comments appreciated! -Crh Charles Henrich Michigan State University henrich@msu.edu http://pilot.msu.edu/~henrich ------------------------------ Date: Sun, 24 Mar 1996 20:55:21 +0000 (GMT) From: Tom KC Basham Subject: Virus scanning tools running on Unix? (UNIX) X-Digest: Volume 9 : Issue 42 I'm doing some work with an FTP site and we'd like the ability to scan uploaded files on the server. (most of the uploaded files will be from the PC world). Could anyone provide any leads on commercial/shareware/whatever utilities? - - - --- Tom "KC" Basham a.k.a "Thunk" Senior Editor, PC ACE Magazine Email: thunk@cris.com ------------------------------ Date: Sat, 23 Mar 96 20:10:42 From: Dan Doyle Subject: vlad the impaler (MAC) X-Digest: Volume 9 : Issue 42 I am interested in information about the nature of and method of removing "vlad the impaler" from a macintosh. ddoyle@csrlink.net ------------------------------ Date: Tue, 26 Mar 1996 22:10:05 +0000 (GMT) From: Sang Park Subject: concept virus on macintosh (MAC) X-Digest: Volume 9 : Issue 42 Can anyone tell me whether the Symantec Antivirus for Macintosh (SAM) removes the concept macro virus from MS Word files or it simply deactivates, as per the MS 'Scanprot.dot' macro? Much appreciate any help, Sang ------------------------------ Date: Sat, 23 Mar 1996 07:14:55 -0500 From: JaegerSoft Subject: Possilbe new virus? (WIN95) X-Digest: Volume 9 : Issue 42 I think we may have a possible virus on our systems. The Mcafee and Norton AV both show everything as clean. It happens to two of our Win95 machines which are RJ45 netted to each other and use the Win95 networking. Both machines show what is best described as a lockup for about a second every 10-25 minutes. Whether running Windows screen saver or Win application or a game in a dos box, it will just stop and and restart in a series of 4 stop and start hiccups. A performance monitor will show between 50 and 60 % cpu usage during this event. At first I thought this was a network problem and have been checking things with that until the day before yesterday. Every so often ( There was no definite pattern), one of the machines would do the hiccup and generate sound out of the speakers. This sound was that of a poor recording with someone saying (kind of unintellibly) something about over and over. I am not going nuts, this was witnessed by several of our people. It coincided with the cpu usage spikes. Since that day, no more sound, but the hiccups continue. Anyone have any ideas? Matt Shaw SPGS, Inc. Makers of Philips Media's Fighter Duel ------------------------------ Date: Sun, 24 Mar 1996 04:12:08 +0000 (GMT) From: Charlie Bryant Subject: 32-bit Win95 virus? (WIN95) X-Digest: Volume 9 : Issue 42 Guy in our shop booted up his Win95 machine the other day and got this message on his screen: The new Internet AIDS http://www.hiv.aids.death The undetectable 32 bit virus for Windows 95 Infection is spreading faster than expected You have less than 1 month to live Press any key to continue . . . Okay, I know it's an obvious joke address and all that, and it sounds like the work of a lamer who figured out how to plant a text file somewhere. But has anybody else seen this, or anything like it? - ---------------------------------- Charlie Bryant Another guy with too many computers http://www.vni.net/~cbryant - ---------------------------------- ------------------------------ Date: Sun, 24 Mar 1996 12:52:29 +0000 (GMT) From: P Boutros Subject: Junkie.MBR or other unknown virus appends command.com (WIN95) X-Digest: Volume 9 : Issue 42 My friend has a P100, running win 95 and scan 95 1.00. Mcafee Scan told him he had Junkie.MBR on his computer, but it couldn't remove until a clean boot up was made. He tried to boot off of his gateway 2000 bootup disk, which in turn made him boot off of a CD. Mcafee still couldn't clean. I sent him F-prot on a clean Dos622 disk. He claims it didn't clean, but mcafee scan (DOS) off a clean win95 startup disk found nothing. Afterwards, the computer would not boot up off of hard disk BECAUSE COMMAND.COM WAS APPENDED TO. No virus checkers caught the appending, I just noticed his command.com was larger than mine. I deleted his and replaced with clean copies. HELP HELP HELP 1. What the hell was that? A virus? Junkie.MBR? A boot sector virus that overwrites? 2. Did that append to anything else? His graphics are a little fucked up, but I can't see anything wrong. 3. His Gateway bootdisk needs a CD to boot without hard disk. Is this safe? Please reply to PCBOUTRO@NOVICE.UWATERLOO.CA ------------------------------ Date: Mon, 25 Mar 1996 19:02:49 -0800 From: Lycanthrope Subject: NAV upgrade hidden files (WIN95) X-Digest: Volume 9 : Issue 42 howdy. I recently d/led the word macrovirus upgrade for NAV95. I followed the directions which said to unzip in a temp directory, scan, etc. everything worked fine but now my temp directory is full of hidden files relating to NAV. I tried deleting them but that caused my "file manager" and desktop to have about 30 new files on it, still relating to NAV. can I delete these or move them to my NAV directory without any harm? thanks in advance... - - -Lycanthrope ewright@ap.net ------------------------------ Date: Mon, 25 Mar 1996 23:23:19 -0500 From: Wayne Shanks Subject: 386SPARTN.PRN and Win 95 boot sector modification (WIN95) X-Digest: Volume 9 : Issue 42 386SPARTN.PRN The file above apeared in the root directory on the C drive. It seems to always be in use in that I can not rename it or move it. Mcafee can not read it to test for a virus. Also every time I boot win 95 the Bios boot sector modification alarm goes off. Is this normal?. I am having tremendious trouble with protection fault errors. If I format a system disk and boot off it I get no Bios alarm. What is going on.... is this a Virus? Mcafee, and Tbav, and Doctor anti virus scanners find nothing Any Ideas or tips would be greatly apreciated. Wayne Shanks ------------------------------ Date: Wed, 27 Mar 1996 10:26:24 -0600 (cst) From: "Arif, Rahan" Subject: Drive Space 3 Problems (WIN95) X-Digest: Volume 9 : Issue 42 I have been having some trouble with my compressed hard drive. I had Windows 95 with PLUS! installed in my computer using PLUS!'s version of Drive Space. Due to some unrecoverrable errors in the system registry, I almost gave up after many attempts to fix it. Finally, I erased the entire c:\windows tree and I installed Windows 95 again. It barely installed, but I was lucky. Well the wierd registry problem was fixed, but now every time I start my computer I get a blue screen with a message saying that my DRIVESPACE DRIVER doesn't match with current driver it is using. Thats because Windows 95 is trying to use its own older version of Drive space and it can't recognize the Drive space 3 format. So logically after seeing this appear, I tried to install PLUS! again. But after several attempts, PLUS! didn't install at all. A message saying that TOP LEVEL INFORMATION COULD NOT BE PROCESSED kept appearing. Also when I go to My Computer and click on Properties, it show that I have 1.6 GIGABYTES of FREE SPACE, when my original hard drive was only 200 MEGABYTES to begin with! and after being compressed, it should only have been around 380 megabytes!!! I really need some help in figuring out how I can possibly reinstall Drive Space 3 or some way I can extract the Drive Space 3 compenents from the .CAB files found on the PLUS! CD-ROM. Also can anyone tell me the address of the Windows 95 Tips list. I was once on it and I lost the subscription address. Any help will be highly appreciated. Thanks you very much, rarif@chiaolink.dcmc.dla.mil ------------------------------ Date: Wed, 27 Mar 1996 18:37:11 +0000 (GMT) From: Ian Mullins Subject: Re: TBAV says HIMEM.SYS changed (WIN95) X-Digest: Volume 9 : Issue 42 Jared Williams (williams@finland.it.earthlink.net) wrote: : I am currently running thunder byte for dos. It came with : Windows 95 and when I boot up using it, it always says : himem.sys has been changed. It won't allow to validate it. Is : there anyone out there that has had the same problem using : thungerbyte? If you ran TBSETUP before installing Windows '95, then installed Win '95 and scanned your system it would say that. First boot with a boot disk and scan your system to make sure it's not a virus. If all is well, make sure the HIMEM.SYS file is 32,935 bytes long. If so, it's 99.9% likely that it's not infected. Then, simply make sure that the option "Only New Files" is not checked in the TBSETUP options, and then run TBSETUP. After it's complete, it shouldn't say that HIMEM.SYS has changed anymore. - - Crash, Remote SysOp of The Danger Zone (709)368-4709 ------------------------------ Date: Wed, 27 Mar 1996 12:25:24 -0600 (CST) From: Pete Turner Subject: Bytes added to files (WIN95) X-Digest: Volume 9 : Issue 42 Anyone using Win95 with WinZip *installed* and experiencing "bytes added to files" should obtain the most recent version of WinZip. A known bug in one version of WinZip (6.0b, I believe) causes this and often makes the user think s/he has a virus. ------------------------------ Date: Wed, 27 Mar 1996 11:40:34 -0500 From: Mike Lawrence Subject: Viruses from kids floppies - How I stopped them... (WIN) X-Digest: Volume 9 : Issue 42 I believe most viruses enter from a floppy or modem. If your kids are introducing viruses to your computer, you can try IconHideIt. I use it to lock down the DOS box, groups, icons, directories, communication and printer ports. http://www.mclellansoft.com/iconhideit/ or 1-800-794-5679 -mike ------------------------------ Date: Sun, 24 Mar 1996 23:36:19 +0000 (GMT) From: "G.h.van den Berg" Subject: virus effecting winhelp.exe? (WIN) X-Digest: Volume 9 : Issue 42 Does any one know of a virus that infects at least winhelp.exe...my copy has corrupted lately and when I reinstall it it corrupts again. The version on the install disks is 256,192 bytes after a windows session that has refused to run winhelp winhelp.exe is now 258,150...does any one know what is going on. I have also noticed a drop in system performance of late. Do I have a virus...all the scan I have run so far don't detect anything. TIA. g. ------------------------------ Date: Sat, 23 Mar 1996 00:23:02 -0800 From: "J. L. Packer" Subject: "loading bootstrap" message (PC) X-Digest: Volume 9 : Issue 42 I recently dealt with (and hopefully eliminated!) what McAffee Identified as anti-cmos, as well as a stealth virus. When I first began experiencing symtoms of these viruses on my pc, I noticed a message at bootup (which I do not recall having seen previously) reading "loading bootstrap". After eliminating the virus infections (I reformated my hard drive and restored from backup.... just to be on the safe side), my pc no longer displays the mystery message. Question: does anyone know what the "loading bootstrap" business was all about? regards, JP jpack@nicoh.com ------------------------------ Date: Sat, 23 Mar 1996 17:01:26 +0000 (GMT) From: Oliver Heidelbach Subject: Does somebody know 'Partitori-B'? (PC) X-Digest: Volume 9 : Issue 42 does anybody ever heard of a virus called 'Partitori-B'? I have to deal with it, but I can't find any reference, not in McAfee's VSUM, not anywhere else. The only thing I can say up to now is, that it must be a boot sector virus and that it draws a red box on the screen. It also made Word for Windows ('95) refusing to load documents. I need a strategy to handle that virus. If 'Partitori-B' should be an uncommon alias I would appreciate if somebody can tell me its common name. TIA, Oliver - - Internet: oheiabbd@zedat.fu-berlin.de BBS: o.heidelbach@telemail.berlinet.de WWW: http://fub46.zedat.fu-berlin.de:8080/~oheiabbd ------------------------------ Date: Sat, 23 Mar 1996 11:40:40 -0700 (PDT) From: cribbv@icsi.net Subject: Re: Ripper virus (PC) X-Digest: Volume 9 : Issue 42 In response to Florian Erhard's post regarding the Ripper virus, the moderator said: "... You may need to floppy boot a version of DOS earlier than MS-DOS7 and run a dos-based disinfector." The key here being "floppies with an earlier version of DOS and a DOS-bases disinfector." Even though Windows 95 saved your old DOS during Setup, you may soon find yourself in a situation where you will be forced to re-format your hard drive and, if so, you just lost the most versitle version of DOS if you haven't saved it. Myself, I'm glad that years ago I prepared a set of emergency disks (3) complete with the essential DOS programs, drivers, appropriate autoexec.bat & config.sys, and an anti-virus program. The only thing I can't do, when using them, is operate Windows 95 or restore a Window's backup. PS: Two medium-size hard drives are better than one large one, especially if you use the slave to save your documents, templates and supporting graphics. ------------------------------ Date: Fri, 22 Mar 1996 04:42:28 -0500 From: Wayne Shanks Subject: Cmos-corrupting Virus (Monkey?) (PC) X-Digest: Volume 9 : Issue 42 Ther is mow a full blown epidemic in the Maryland area (maby overstated, but I know of over 70 computers at dozens of sites infected). This Virus deletes the Cmos setup info. You can go back in and reset everything, but at the next reboot you have to do it again. My father helps run the computer lab at the elemantary school where he teaches. A bunch of the computer in the lab had these problems, and he thought the clock/cmos went bad. These computers were IBM PS2. He talked with a tech support guy at IBM, and the Tech guy thought that it was not a Hardware problem, but a new Monkey Virus. The guy said It has poped up in the last 6 months. When my father told me about this, a light went on. For the last 2 or three months I have been hearing dozens of people complain about there Cmos droping out. Have you heard anyhing about this? Do you know how to kill it. Wayne Shanks ------------------------------ Date: Sat, 23 Mar 1996 21:44:51 +0000 (GMT) From: Wayne Riddle Subject: Re: Anti exe virus (PC) X-Digest: Volume 9 : Issue 42 Angela Cowley wrote: > Every one I know who is not on the net is telling me >I got it from the net, but are they right? I was online for 4 months on >the old machine and that is ok. Anti-Exe is a boot-secot virus. You picked up the virus from an infected disk. Wayne Riddle riddler@agate.net http://ourworld.compuserve.com/homepages/riddler ------------------------------ Date: Sat, 23 Mar 1996 21:56:14 +0000 (GMT) From: Maxine Sheinin Subject: Re: MS Macro Virus Tool (PC) X-Digest: Volume 9 : Issue 42 > Am evaluating the option of using either Microsoft's Macro Virus > eradicator, or just going with the latest Norton AntiVirus version and > signature files.... any experience, pro or con, either way? I installed the Microsoft Protection Macro for Word. Found a few minor irritable differences (one is that you cannot open multiple files at once), but the alternative seems worse. We started scanning (using McAfee) the document files but found that some people had so many documents on their hard drives that it took foreverrrrrrrrrrrrrrrrrr to scan. There is no noticeable file open or close delay in Word (6.0), so we went with that. ------------------------------ Date: Sat, 23 Mar 1996 22:10:03 -0500 From: Richard Palumbo Subject: Re: CONCEPT/Word Perfect macro: really no cure? (PC) X-Digest: Volume 9 : Issue 42 our network was infected with this virus. After cleaning with Mcafee the word perfect operators complain of computers hanging. The Dos 6.0b WP has been reistalled yet the problem persists and none of the documents show infection :-( ------------------------------ Date: Sat, 23 Mar 1996 13:43:04 -0500 From: Richard Palumbo Subject: Re: CONCEPT/Wordperfect macro:really no cure? (PC) X-Digest: Volume 9 : Issue 42 after detecting CONCEPT several workstations now hang and one will present 242424242424 at the top of a document before hanging. any comments :-( ------------------------------ Date: Sun, 24 Mar 1996 13:18:10 +0000 (GMT) From: Subject: Re: Neuroquila (PC) X-Digest: Volume 9 : Issue 42 On 20 Mar 1996 22:10:05 -0000, Dan Wright wrote: >McAfee Viruscan (7/95) detects Neuroquila or Nightfall virus in files, >has no remover. > >Files are in a directory called Sentry that does not show on a tree, >attempts to delete files result in "access denied". Over 700 files show >up in a DIR, in the form #a1b2lrs.ms or some variant of this name. 8 of >these are infected according to McAfee. These files are being created >daily, some show dates before the computer was purchased. Hi.. Seems like you're using Microsoft's Undelete Sentry (also found in PCTools, but then the files have different extention.).. The Sentry directory is a directory where the "Delete Sentry program" puts files which are deleted, so that it's easy to undelete files which have been protected by this program... As for the virus signature of Neuroquila, it could be a false alarm, specially if it only shows up in this exact directory... In either case, if it's the case that it only occurs in the Sentry directory, there is probably no danger. The reason for you not being able to view the sentry directory, or to delete the files is that the directory is hidden, and the files in it are locked by the Undelete program... One last thing: Update your scanner, it's way to old. ------------------------------ Date: Mon, 25 Mar 1996 00:18:19 +0000 (GMT) From: Jim Wu Subject: how to get rid of Urkel (PC) X-Digest: Volume 9 : Issue 42 My computer was infected with Urkel. Is there anyone knowing how to get rid of it? Also, I couldnot have access to my D drive (harddisk). Does this problem result from the virus? Thank you! e-mail: yenchun@engin.umich.edu ------------------------------ Date: Mon, 25 Mar 1996 12:27:29 -0800 From: Kelvin Chien Subject: Re: Anti exe virus (PC) X-Digest: Volume 9 : Issue 42 Angela Cowley wrote: > I bought a new computer 2 weeks ago and it was definitely clear of viruses > when I got it, but then 5 days ago I discovered it had the anti exe virus. > I know my old computer is clean and the floppies I installed the day I got > it are clean, just ones I've used over the last week are infected. I've > cleaned everything now and have dr solomons installed, but wonder where > the virus came from. Every one I know who is not on the net is telling me > I got it from the net, but are they right? I was online for 4 months on > the old machine and that is ok. Right and wrong. Provided you only "browse" on the net without clicking on links that automatically download executable files, you shouldn't have got it from the net. Java pages are, in this stage, not capable of letting Java applets tweak into your harddisk. Uuencoded files can contain viruses, but if you don't uudecode and use them, they're like frozen chickens. You would want to concentrate on how you got the virus. Below shows some tips: * Do you let someone else use your diskettes/computer? * Do you use your diskettes on computers other than your own? * Do you have infected diskettes but still use them after you re-format them? * Did you scan all diskettes including all your software, games etc? * From your description, you said the floppies and the box were clean when you bought it from your vendor. A few years back when I helped my relatives/friends buy their first machines, some of them were already infected. Their floppies were fine, but if I hadn't checked their boxes, they'd sooner or later be infected by the virus on the boot sector, so that they would have had the case as you do now. It's extremely important you have an up-to-date virus scanner. As you may have read the previous messages, people (my boss included :) use Microsoft (or other old scanners) Antivirus and they think they are virus-free. Trust no old scanners and keep yourself update with new scanners from those reputable companies (Mcafee, F-PROT to name a few). Cheers _______________________________________________________________________ - Kelvin K. W. Chien - - kchien@chevalier.net - ------------------------------ Date: Sun, 24 Mar 1996 22:59:26 -0800 From: "Cory L. Curtis" Subject: Re: Neuroquila (PC) X-Digest: Volume 9 : Issue 42 Dan Wright wrote: > Could use some help please for a friends 486 PC. > > McAfee Viruscan (7/95) detects Neuroquila or Nightfall virus in files, > has no remover. > > Files are in a directory called Sentry that does not show on a tree, > attempts to delete files result in "access denied". Over 700 files show > up in a DIR, in the form #a1b2lrs.ms or some variant of this name. 8 of > these are infected according to McAfee. These files are being created > daily, some show dates before the computer was purchased. > > Anyone know whats going on here? Check out this link: http://www.datafellows.fi/vir-desc.html It doesnt sound like Nightfall. See what the file attributes are with attrib. Change them with attrib *.* -a -h -r -s for example if the files have all or any of these atributes, then try del . to get rid of them. I don't know if this is what your looking for? Good Luck! Cory ------------------------------ Date: Mon, 25 Mar 1996 11:59:52 -0800 From: Stephen Weller Subject: Re: WelcomB Virus (PC) X-Digest: Volume 9 : Issue 42 Yes, as a matter of fact it has been dormant in my machine for some time now. Tried to kill it with McAfee's program, but had the same luck as you. All my floppy disks seem to be infected as well. Where can I get this NAV Antivirus program? I would really like to know. Thanks a million. Steve Weller ------------------------------ Date: Mon, 25 Mar 1996 22:59:37 +0300 From: dekel@carmel.haifa.ac.il (L. DEkel) Subject: Re: F-PROT, Opinions? (PC) X-Digest: Volume 9 : Issue 42 F-PROT is my favorite, it saved the day several times when other AV have failed (Mcfee, Invirc - to name just 2). Just remember always to use the latest update of F-PROT. ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, L. DEkel Email: dekel@carmel.haifa.ac.il ''''''''''''''''''''''''''''''' ------------------------------ Date: Mon, 25 Mar 1996 21:27:55 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Neuroquila (PC) X-Digest: Volume 9 : Issue 42 Dan Wright writes: >McAfee Viruscan (7/95) detects Neuroquila or Nightfall virus in files, >has no remover. > >Files are in a directory called Sentry that does not show on a tree, >attempts to delete files result in "access denied". Over 700 files show >up in a DIR, in the form #a1b2lrs.ms or some variant of this name. 8 of >these are infected according to McAfee. These files are being created >daily, some show dates before the computer was purchased. Please try a newer version. I believe I had a false id with the first version of the code, which was from about that time. Jimmy cjkuo@mcafee.com ------------------------------ Date: Mon, 25 Mar 1996 17:27:09 -0800 From: Jared Williams Subject: Netscape virus? (PC) X-Digest: Volume 9 : Issue 42 The other day my Thunderbyte anti-virus program discovered two .com files in my netscape's cache and said that they were suspicous files with garbage. I executed it and had my printer off. Every thing went fine. The program went to dos and the .com file tried to access the printer, but since it was off it was unsuccessful. I got out of dos and killed the file afterword use Thunderbyte. What I wanted to know is how did they get there? Did a virus possibly get downloaded into my cache through a Java program or somethig else perhaps? Thanks to any who can provide me with an answer! Jared Williams ------------------------------ Date: Tue, 26 Mar 1996 01:32:59 +0000 (GMT) From: alan gan Subject: Theta virus ..... anybody got solutions??? (PC) X-Digest: Volume 9 : Issue 42 I'd just encountered Theta virus in one of my users's PC. Does anyone know how to deal with it?? Would appreciate some info from anyone. I'd tried killing it with McAfee SCAN 2.2.9 with success. ------------------------------ Date: Tue, 26 Mar 1996 01:42:48 +0000 (GMT) From: "Luciano A. Martinez" Subject: Jerus X (PC) X-Digest: Volume 9 : Issue 42 Has anyone heard of this virus, I ran a virus detection utility on my PC and it told me I had Jerus X. I was just wondering if anyone knows what to do about this virus, and some noticeable side effects. ------------------------------ Date: Mon, 25 Mar 1996 23:05:10 +0300 From: dekel@carmel.haifa.ac.il (L. DEkel) Subject: Re: Michelangelo recovery methods (PC) X-Digest: Volume 9 : Issue 42 Zvi Netiv (netz@actcom.co.il) wrote: : IN ALL OTHER CASES USE ResQdisk Professional (ResQpro). With disks that What a "nice" "objective" advice comming from a ResQdisk salesman... your sig. tells it all : " : - -------------------------------------------------------------------- : NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk : Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 : Web sites: http://invircible.com/ Anonymous ftp: ftp.invircible.com : E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 : - -------------------------------------------------------------------- " ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, L. DEkel Email: dekel@carmel.haifa.ac.il ''''''''''''''''''''''''''''''' ------------------------------ Date: Sat, 23 Mar 1996 16:27:25 -0500 From: Sayitmean Subject: 634K of RAM--virus? (PC) X-Digest: Volume 9 : Issue 42 I don't know the name of this virus, but my memory shows 634K. I can't run the 32 bit access through windows. I looked on the FAQ but didn't see any reference to it. Can someone help? Kim ------------------------------ Date: Sat, 1 Jan 1994 21:04:04 From: philski@spirit.com.au Subject: anticmos?? Help (PC) X-Digest: Volume 9 : Issue 42 help!!! I am running 486 dx4 120 award with 12 meg ram win 95. My problem is that I get a "checksum error defaults loaded" and/or "cmos battery failed" but it is a brand new mo'board and I have replaced battery since first occ! Please help me I'm melting. PS I have tried clean boot with fdisk/mbr and formatting hd. ------------------------------ Date: Tue, 26 Mar 1996 18: