VIRUS-L Digest Sunday, 7 Apr 1996 Volume 9 : Issue 44 Today's Topics: VB96 Conference Submissions Re: Mcafee support stinks Help with Croatia virus Re: Mcafee support stinks Help Possible Virus Re: QUESTION: Email Viruses had antiexe now lost "d" drive (NT) Re: Floppy Disk TSR scan software (PC) Re: Good Mac Virus Software (MAC) Is this a VIRUS? (WIN95) Re: AntiEXE triggers McAfee problems? (WIN95) Re: TBAV says WIN95 CD infected? (WIN95) Re: Devices disappearing--virus? (WIN95) Re: TBAV says WIN95 CD infected? (WIN95) Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC) Re: Winword/Scanprot/Fprot questions (PC) Re: Tai_Pan438 Virus (PC) Recommended A-V software (PC) Re: Could this be a virus? (PC) Re: Date set to 2096--virus?? (PC) Trabajo_hacer.b Virus (PC) ripper virus (PC) Re: RITT.6917 virus--false positive from SCAN 2.2.11? (PC) Re: 10b7 (PC) Junki Virus: Infection (PC) mem = 639K (PC) Re: Virus??? (PC) Re: Readiosys - is it real? (PC) Intermittant Problems with No Apparent Cause (PC) Re: Virus??? (PC) Re: LAN-based virus protection advice wanted (PC) Re: Disappearing Partitions (PC) NAV updates (PC) Re: Winword/Scanprot/FProt questions (PC) 636k total base memory...virus? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Fri, 29 Mar 1996 15:43:05 +0000 (GMT) From: Ian Whalley Subject: VB96 Conference Submissions X-Digest: Volume 9 : Issue 44 Virus Bulletin is in the process of finalising the timetable its sixth annual conference [VB96], and is interested in receiving submissions on further topics, amongst which are: * Macro viruses: beyond Word * Writing virus-proof Macro environments * Virus exchange over the Internet * Viruses in Java * Virus exchange bulletin boards * Virus spread on Massive Area Networks (NetWare 4+) * Scanning transformed files (e.g. ZIP, MIME, PGP [!] etc.) Anyone interested is invited to submit a brief abstract either to me or to Alexandra Hothersall (Conference Coordinator) on ah@virusbtn.com. The conference takes place on 19/20 September, 1996, at the Grand Hotel in Brighton, England. Abstracts should be received on or before April 5th 1996. Best, Ian. - ----------------------------------------------------------------------------- |---Ian Whalley, Editor, Virus Bulletin Magazine---|-Author of Project VGrep-| |-Direct/Office/Fax: +44-1235-544039/555139/531889-|-virus name xref system--| |-Key CRC: 2A02 96E5 5D77 4C8D EB22 146F E03B A0D3-|-Get it from the web at:-| |-Unix/NT/W95/Win32/C/x86/Sed/Awk/Perl/Sh/Html/VBA-|http://www.virusbtn.com/ | - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 29 Mar 1996 10:33:47 -0700 From: Jim Powlesland Subject: Re: Mcafee support stinks X-Digest: Volume 9 : Issue 44 In article <0012.01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>, lf wrote: >I bought VirusScan 95, and my current version recognizes me as a >licensed user. Whenever I try to update it from FTP site, I get a >"thank you for evaluating message" when I run the updated version, and >it no longer recognizes me as a licensed user. Over a month period, I >have sent four emails to support@mcafee.com, without response. I'm >ready to dump the program and try Norton. Any suggestions? Just download the dat* file updates (ie., dat-9603.zip) and install them. It will update your licensed executables and not change them to the non-licensed evaluation versions. - - Jim Powlesland | OFFICE: 403-220-7937 University Computing Services | MESSAGE: 403-220-6201 University of Calgary | FAX: 403-282-9199 Calgary, Alberta CANADA T2N 1N4 | URL: http://www.ucalgary.ca/~powlesla/ ------------------------------ Date: Sat, 30 Mar 1996 02:58:42 +0000 (GMT) From: ggaziano@capecod.net Subject: Help with Croatia virus X-Digest: Volume 9 : Issue 44 Does anyone have any info on the Croatia virus or know of an AV program to clean it? Thanks Ggaziano@capecod.net ------------------------------ Date: Sat, 30 Mar 1996 00:22:29 +0000 (GMT) From: Robert Michael Slade Subject: Re: Mcafee support stinks X-Digest: Volume 9 : Issue 44 lf (leaf@ix.netcom.com) wrote: : it no longer recognizes me as a licensed user. Over a month period, I : have sent four emails to support@mcafee.com, without response. I'm : ready to dump the program and try Norton. Any suggestions? This course of action is known as "out of the frying pan and into the fire" :-) Try F-PROT, Dr. Solomon's, or VET. ------------------------------ Date: Sat, 30 Mar 1996 02:54:21 +0000 (GMT) From: Syahrul Sazli Shaharir Subject: Help Possible Virus X-Digest: Volume 9 : Issue 44 After I run certain programs, everything crashes one by one.. (popup message appears: "[program name] encounters an error (or sthing like that), the application will be closed"), and after a few more clicks the Explorer fails (with the same popup message) and then Win 95 crashes. If this is a virus problem, what apps can be used to kill it? Thanks. Sazli ssazli@eniac.seas.upenn.edu ------------------------------ Date: Fri, 29 Mar 1996 21:58:36 -0500 From: Doug Muth Subject: Re: QUESTION: Email Viruses X-Digest: Volume 9 : Issue 44 In article <0002.01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>, Greg Rice writes: : I'm wondering, why isn't an email virus possible? I read that no one : really needs to worry about loading an email message from a service : like AOL or Compuserve and recieving a virus on their home PC. : Wouldn't it be possible to write code that is an attached .EXE file and : is called into downloading itself by the 'read mail' action of the : service provider? To clarify, if someone had a UNIX shell account on an ISP and had something set up so that attachments are automatically decoded, exeuction wouldn't be practical. You see, under UNIX, a program must be compiled from its source (usually C) on each system since each system has different hardware and different versions of UNIX. Therefore, this rules out problems with shell accounts. : I realize that if there was such a code, it would be service provider : specific, but it seems plausible. The other scenario, which would require a SLIP/PPP connection, wouldn't be ISP specific, but rather specific to the machine of the user. The user could configure his machine, most likely running MS-DOS/Windoze/Win 95 to decode and execute (no compilation required here, just send the binary) attachments. In this respect, it is possible for a file infecting virus to be transmitted via e-mail. However, it would be exetremely STUPID of the user to configure their software to run EXEs in this manner. My apologies for going off-topic with the explanation of UNIX, etc. but I felt it would help me make clear exactly what I was trying to say. Regards, - - - ------| Finger dmuth@oasis.ot.com for - -----| PGP public key and geek code Anti-virus software and utils: | The Transformers fanfiction: ~dmuth/virus/virus.html | ~dmuth/tf/tf.html -=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- ------------------------------ Date: Sun, 31 Mar 1996 04:46:15 +0000 (GMT) From: Jeff Jarrell Subject: had antiexe now lost "d" drive (NT) X-Digest: Volume 9 : Issue 44 This is the history: 1. Got new PC. 2. The 1.6 gig disk was formatted as 1 drive="c" 3. Wanted to partition disk so used FIPS, a Linux utility to make c:=900 meg and d:=600 meg. 4. Installed Windows NT on c: and formatted d: as a NTFS. 5. Was infected by antiexe. 6. Mcafee for NT detected it but couldn't remove it. 7. Norton for NT detected it and removed it. 8. Re-booted pc and now all I have is a C: drive 900 meg. 9. FDISK says it is 1.6 gig. Anyone have any ideas? Please. I've learned my lesson the hard way. I will invest in anti-virus software. Hopefully my negligence by not having protection earlier didn't cost me 600 meg of my drive. Sincerely, Jeff ------------------------------ Date: Sun, 31 Mar 1996 03:16:36 +0000 (GMT) From: Benedict Tam Subject: Re: Floppy Disk TSR scan software (PC) X-Digest: Volume 9 : Issue 44 Warwick Mortensen wrote: >I was woundering what's the best Anti Virus program on the >market that will scan a floppy disk when you put it in the >drive? It must be the TSR that does the scan. No a menu >driven program. NAV it scans A: Cheers. ------------------------------ Date: Fri, 29 Mar 1996 09:56:02 +0000 (GMT) From: David Harley Subject: Re: Good Mac Virus Software (MAC) X-Digest: Volume 9 : Issue 44 Joerg Erdei (a8101gbb@helios.edvz.univie.ac.at) wrote: : On non-networked Macs, installing the free Disinfectant is sufficient in : most cases (but it cannot scan compressed files). Nor does it detect (or claim to detect) hypercard infectors, macro viruses, or trojans. However, it does a good job on other viruses, it's very well-behaved, and includes excellent on-line documentation. David Harley ------------------------------ Date: Fri, 29 Mar 1996 07:56:33 +0000 (GMT) From: aver@isomedia.com Subject: Is this a VIRUS? (WIN95) X-Digest: Volume 9 : Issue 44 I am having a problem with various programs in Win95 with 32 meg of ram on a Pentium 133. Including NewsXpress 2.0, Netscape 2.0, Pc-Cillian 95 mIRC 3.92, Mplayer and Explorer. My problem is that they keep performing an illegal funtion and locking up the program, here are some of the errors that I have gotten while running them. Is this some kind of virus (though I have run McAfee Norton and Pc-cillin 95 without finding any) Or a memory problem? Any clues as to how to fix this would be really helpfull. Error #1 NX caused an invalid page fault in module NX.EXE at 0137:0041e8de. Registers: EAX=00000000 CS=0137 EIP=0041e8de EFLGS=00010202 EBX=00dfff78 SS=013f ESP=00dffbd8 EBP=00dffbe4 ECX=00000000 DS=013f ESI=0080b070 FS=0d8f EDX=81a8db56 ES=013f EDI=0080b044 GS=0000 Bytes at CS:EIP: 8a 04 01 88 03 43 ff 47 28 66 ff 4d 10 75 eb 33 Stack dump: 004204a9 00000008 81559478 00dfff94 004204ff 0080b044 00dfff78 00000002 004204a9 00000008 81559478 00000000 00000000 00000000 00000000 00000000 Thanks, Jen aver@isomedia.com [Moderator's note: Jen submitted eight more stack dumps I haven't posted. Anyone keen on decyphering them should contact Jen for more details.] ------------------------------ Date: Fri, 29 Mar 1996 07:10:06 -0500 From: "Bob Witham Jr." Subject: Re: AntiEXE triggers McAfee problems? (WIN95) X-Digest: Volume 9 : Issue 44 J.Gonzalez wrote: > I just came accross the AntiEXE virus. One of my users detected it on > a floppy he had and brought it up to me because his antivirus software > could not remove it (cheyenne's Inoculan). I have the newest > VirusScan for Windows95 from Mcafee. I placed the disk in my system, > right mouse clicked on the B: drive icon and selected "San for Virus". > BOOM, I got a wierd, DOS-like screen saying that it had detected the > AntiEXE virus and gave me the option of cleaning it, which I did. > Right after, I clicked on the B: drive icon again and my computer > locked up. So, I just tossed the disk. Now, my computer has been > crashing repeatedly. Naturally I have Mcafee's scanner running all > the time, I even scanned my entire harddrive, but my PC's still acting > wierd. Has anyone else had this problem? What can I do? HELP! There is apparently a problem with the SCAN95 cleanup of ANTIEXE. It seems to corrupt the diskette. The best method of cleaning any virus is to cold-boot from a clean DOS diskette, and use SCAN A: /CLEAN to get rid of the infection. SCAN.EXE and the data files are found in the SCAN95 directory C:\Program Files\McAfee I had a similar problem, and someone else reported the problem here a few weeks ago. At that time, one of the McAfee reps said he was going to look into it. I haven't heard anything from them since, but then I have not checked the BBS for a WIN95 update either. Bob W. ------------------------------ Date: Fri, 29 Mar 1996 16:45:31 +0000 (GMT) From: Vegas Griff Subject: Re: TBAV says WIN95 CD infected? (WIN95) X-Digest: Volume 9 : Issue 44 "Richard K.C. Ling" wrote: >Hi! I just recently bought and set-up a DELL P166. After virus >warnings from a 32-bit TBAV under WIN95, I killed the affected files >and re-installed WIN95. Two of the same warnings appeared again during >my first session. I finally did a full scan on my WIN95 CD and three >files were revealed infected. They are: >OTHER\CHANGE CP\1253.BIN >WIN\95\OEMSETUP.BIN and >WIN\95\SAVE32.COM I have been having a similar problem using TBAV for Win95 Ver.700! I am getting Heuristic flags on several files either residing on, or newly installed, from the MS Win95 upgrade CD ROM. I am not a virus expert, but I think common sence would indicate that the Win95 install CD is probably NOT INFECTED. If it is, then you and I, and about 250 trillion other Win95 users are done for! And if that is the case, why fight it? There would be no escape from a virus like that!!!! Below please find three seperate log reports from scans I ran this morning. Please note that when I scan the CD ROM directly, I get different results depending on whether I have selected "Full Scan All Drives", or "Scan CD ROM Only"! Go Figure......? VIRUS SCAN #1 Scan CD ROM ONLY (E:\) ************************************************************************** TBAV for Windows 95 - (C) Copyright 1989-1996, Thunderbyte B.V. TBAV for Windows 95 virus detection report, 29-3-1996 08:33:10. ** Unregistered evaluation version. Do not forget to register! ** E:\OTHER\CHANGECP\1253.BIN might be infected by an unknown virus Found 1552 files in 273 directories, 112 files seem to be executable. 1 files are infected by one or more viruses. VIRUS SCAN #2 Scan LOCAL DRIVES (C:\, D:\) ************************************************************************** TBAV for Windows 95 - (C) Copyright 1989-1996, Thunderbyte B.V. TBAV for Windows 95 virus detection report, 29-3-1996 08:35:22. ** Unregistered evaluation version. Do not forget to register! ** D:\WIN95\INF\DRVIDX.BIN might be infected by an unknown virus D:\WIN95\INF\DRVDATA.BIN might be infected by an unknown virus D:\WIN95\COMMAND\SYS.COM might be infected by an unknown virus F Suspicious file access. Might be able to infect a file. Z EXE/COM determination. The program tries to check whether a file is a COM or EXE file. Viruses need to do this to infect a program. D:\WIN95\SYSTEM\UNICODE.BIN might be infected by an unknown virus Found 12924 files in 652 directories, 625 files seem to be executable. 4 files are infected by one or more viruses. TBAV for Windows 95 - (C) Copyright 1989-1996, Thunderbyte B.V. VIRUS SCAN #3 Scan ALL FIXED DRIVES (C:\, D:\, E:\) ************************************************************************** TBAV for Windows 95 virus detection report, 29-3-1996 08:37:24. ** Unregistered evaluation version. Do not forget to register! ** D:\WIN95\INF\DRVIDX.BIN might be infected by an unknown virus D:\WIN95\INF\DRVDATA.BIN might be infected by an unknown virus D:\WIN95\COMMAND\SYS.COM might be infected by an unknown virus F Suspicious file access. Might be able to infect a file. Z EXE/COM determination. The program tries to check whether a file is a COM or EXE file. Viruses need to do this to infect a program. D:\WIN95\SYSTEM\UNICODE.BIN might be infected by an unknown virus E:\OTHER\CHANGECP\1251.BIN might be infected by an unknown virus E:\OTHER\CHANGECP\1252.BIN might be infected by an unknown virus E:\OTHER\CHANGECP\1253.BIN might be infected by an unknown virus E:\OTHER\CHANGECP\XLAT737.BIN might be infected by an unknown virus E:\OTHER\MISC\EPTS\PTS.BIN might be infected by an unknown virus E:\OTHER\OLDMSDOS\SIZER.EXE might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. A Suspicious Memory Allocation. The program uses a non-standard way to search for, and/or allocate memory. K Unusual stack. The program has a suspicious stack or an odd stack. E:\WIN95\SAVE32.COM might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. M Memory resident code. The program might stay resident in memory. U Undocumented interrupt/DOS call. The program might be just tricky but can also be a virus using a non-standard way to detect itself. @ Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus. Found 14476 files in 924 directories, 737 files seem to be executable. 11 files are infected by one or more viruses. ************************************************************************** Sincerely Griffith C. Kwiat [In other words, what you would expect if you ran a fairly paranoid heuristic virus scan over a CD of new OS software for your platform??-- Moderator.] ------------------------------ Date: Fri, 29 Mar 1996 19:32:06 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Devices disappearing--virus? (WIN95) X-Digest: Volume 9 : Issue 44 Douglas Grimes writes: >Last month I was running Disk Defragmenter under Windows 95 after >terminating all running programs when it reported an error and locked up >my PC. The error was something like this, 'The file retrieved has >changed.' Then I ran Scandisk to check for errors. It reported that it >found an error and fixed it. I ran Scandisk again to check if it really >corrected the error. Scandisk reported the same error again. I let >this go on for a couple of days when I started losing my devices - my >hard drives, CD-ROM, sound card, video card, etc.. During this time >when I pulled up the Control Panel it was taking up to 10 minutes to >open. So, I decided to reformat my drives and reinstall my software. >After a couple days the same symptoms started to show up again. I >purchased a copy of McAfee's Virus Scan 95 and ran it. Virus Scan >reported that no virus was found. I finally did an unconditional >format and reloaded all of my software. To this day I have not had any >other problems. > >I am a system engineer and have a good technical knowlegde. So, I am >positive that I did not do anything 'Stupid'. Some of my programmer >friends thought, based on the symptoms, sounded like I had a new virus >they heard about called SATAN. Could this have been a virus or is this >some strange thing under Win95? If so, which one? Is there such a >thing called the Satan Virus, because I have never heard of it? My experience with disappearing devices says that at some point, you converted your Win95 to not use 32-bit access and most of the devices in Win95 have drivers that rely on 32-bit access. You will have this experience if you also get hit by a boot sector virus. Jimmy cjkuo@mcafee.com ------------------------------ Date: Fri, 29 Mar 1996 19:31:14 +0000 (BUE) From: ruben@ralp.satlink.net Subject: Re: TBAV says WIN95 CD infected? (WIN95) X-Digest: Volume 9 : Issue 44 Wed, 20 Mar 1996 17:01:00 +0000 (GMT) "Richard K.C. Ling" Wrote: >Hi! I just recently bought and set-up a DELL P166. After virus >warnings from a 32-bit TBAV under WIN95, I killed the affected files >and re-installed WIN95. Two of the same warnings appeared again during >my first session. I finally did a full scan on my WIN95 CD and three >files were revealed infected. They are: > >OTHER\CHANGE CP\1253.BIN >WIN\95\OEMSETUP.BIN and >WIN\95\SAVE32.COM > >Can this be possible? Yes. But seems more likely to a false positive. Remember that TBAV have some flags that could be setted up and make it more sensitive (high heuristhic, in example) or not. As a rule I suggest ALL THE PEOPLE WHO HAVE SIMILAR PROBLEMS to send the "suspicious files" directly to the author of the program. I suppose that this helps so much to AV industry and gives a special feedback to AV writers. Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben M. Arias _ _ _ | ) |_| | |_) | \ | | |_ | E-Mail: Ruben@RALP.Satlink.net Buenos Aires - ARGENTINA RALP - Computer Security - Virus - ------------------------------------------------------------------------------ ------------------------------ Date: Fri, 29 Mar 1996 02:41:23 -0500 From: "Bruce P. Burrell" Subject: Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC) X-Digest: Volume 9 : Issue 44 Mike Blackwell (mike.blackwell@pnn.com) wrote: > I'm a Mac user (please, no flames :), and need help diagnosing a friend's > PC problem. She has a 286, and doesn't know how much RAM or HD space she > has, so I'd assume it's whatever's standard. No such thing as "whatever's standard", I'm afraid, though some configurations are more likely than others. Shouldn't matter in this case, though. > Recently, she recalls hearing > strange sounds from the hard drive, and the next time she booted, her hard > drive was empty: a "DIR" command revealed no files. This was after booting from the hard drive? And she succeeded in reaching a DOS prompt, right? She wasn't just looking at a screen with nothing on it (at all!), just typing DIR in the hopes of getting something, I'm assuming. > The computer store that sold it to her told her she'd been struck by the > Michelangelo virus, which, as I understand it, is programmed to go off on > a certain date (March 6?) and delete the hard drive directory. Worse than that. Michelangelo, if booted on March 6th of any year, will attempt to overwrite the first 17 sectors of the first 4 heads of the first 256 cylinders of the first hard drive. Most all hard drives have at least that many sectors, heads, and cylinders, so 8.5MB gets zapped, including the Master Boot Record and a lot of other stuff. Since there is no Partition Table, none of the partitions will be accessible; hence attempting to boot from the hard drive will fail totally, and a floppy boot followed by DIR C: will probably result in "Invalid drive specification". > However, the virus had to have been on the hard drive to begin with, > since she has no modem, Can't get Michelangelo over the modem, though other viruses can be transferred that way, albeit rarely. > and by her admission, she hasn't used a floppy in a couple of years. At **all**? I believe her if she says it, but that strikes me as unlikely. I should point out that it suffices to spread Michelangelo to a hard drive by having an infected diskette in the A: drive when the machine is booted, whether by intent or power surge. Doesn't have to be a "bootable" floppy either. > One would think Michelangelo would have struck 12 months ago, Not necessarily; the computer would have had to have been *booted* on that day, not just left on. Also, if that one infected floppy was in the A: drive at any time during the subsequent year when the machine was booted, the virus would have invaded after March 6th '95 anyway. > so I'm having trouble accepting a viral diagnosis. I don't necessarily have a problem with a viral diagnosis, but if she described the situation correctly as you've portrayed it, then I reject the possibility of a _Michelangelo_ infection. Were that the case, one could never get to the C: prompt on a hard drive boot to type DIR, and I suspect if the hard drive didn't show up at all she would have mentioned that. > She has no anti-viral, diagnostic, recovery, or backup software of her > own, so I advised her to leave the machine turned off and wait until I can > learn something. Reasonable suggestion. There are several topnotch AV software packages available on the 'Net; some are even free for individual, non-commercial use. > I suggested she get a second opinion from another store, > but at $25 per opinion, I don't blame her for being loath to do so. If it's Michelangelo, a recovery will be expensive in one way or another. If she decides to do it herself, it will cost time and a lot of agony. If she decides to pay a professional, she'll find her purse a lot lighter. And if she just starts over from scratch, that's expensive in its own right. But the symptoms described are not those of Michelangelo. > While I'm a consultant for Macs, I have only a rudimentary knowledge of > the PC world, and would appreciate any advice you can offer. Thanks in > advance for your input. E-mail replies are preferred; I read too many > newsgroups already. :) Done, as well as a 'News followup. Sorry not to do so sooner; it just appeared on my newsserver. -BPB ------------------------------ Date: Fri, 29 Mar 1996 13:15:30 +0000 From: Szappanos Gabor Subject: Re: Winword/Scanprot/Fprot questions (PC) X-Digest: Volume 9 : Issue 44 In Digest: Volume 9 : Issue 39 "Charles M. Robinson" wrote: >We've had a major spreading of the Winword/Concept virus here at work. >The latest version of FProt (2.21) finds .DOC files with this macro virus >just fine. > >The problem is this: We've downloaded the "scanprot" file from Microsoft >which scans all .DOC files and "cleans" them of this macro virus. Lo and >behold, the documents no longer affect the operation of Word. This is good. > >What is BAD is, F-Prot still finds the string in the .DOC files and still >reports them as infected with the CONCEPT virus. I think that SCANPROT did not really disinfect the documents, only saved them as documents. It means that the macros are phisically present in the file but since it is not a template any more, they are "disconnected", never executed. F-PROT still finds the search strings in the documents since the macros were not actually removed. >My guess is that we either need a newer version of F-Prot, or a newer >version of the "scanprot" macro from Microsoft. Has anybody else run >into this problem? > >Currently, the workaround is that we run fprot with the /nodoc parameter >- but I would like to know when DOC files are actually infected. There's >gotta be a better way! You can open the documents with Word (don't worry about the auto macros, won't be executed in a document) and save them as templates. Then you can either manually delete the macros (with Tools|Macro) or disinfect with F-PROT. Szapi ------------------------------ Date: Fri, 29 Mar 1996 07:20:01 -0500 From: Bill lambdin Subject: Re: Tai_Pan438 Virus (PC) X-Digest: Volume 9 : Issue 44 >Can someone give me some info on this little bug. Taipan.438 is an infector od .EXE files. The virus is appended to the files. Infected files grow in size by 438 bytes. It hooks INT 21h, and steals 496 bytes of RAM. The virus is not stealthed, polymorphic, encrypted, or deliberately destructive. You can find the following text in the infected files, "WHISPER PRESENTRAR TAIPAN" Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 29 Mar 1996 07:20:04 -0500 From: Bill lambdin Subject: Recommended A-V software (PC) X-Digest: Volume 9 : Issue 44 I recommend the following scanners. AVP Dr. Solomon's Anti-Virus Toolkit (commercial) F-Prot Integrity Master Norman Data Defence (commercial) Scan TBAV I recommend the following generic virus detectors. ARF A-V utilities F-Prot Professional (commercial) Integrity Master PC-cillin (commercial) PC-Rx (commercial) Untouchable (Commercial, but no longer supported) Victor Charlie. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 29 Mar 1996 13:54:06 +0000 (GMT) From: David Harley Subject: Re: Could this be a virus? (PC) X-Digest: Volume 9 : Issue 44 Gail Rider Craig (Mac.NewsWatcher@epix.net) wrote: : A friend asked me for help on this and I was hoping I could find some : answers for him here. He has a 386 running a custom database for his : work. There were 8 mgs left on the hard disk and his son tried to install : Borland Visual Turbo C++ which was supposed to be only 4 mgs. It may not be relevant to the problem, but I wonder which product has actually been installed here? Visual C++ sounds like Microsoft (takes a lot more than 4Mb for a minimum installation, as does Borland C++). I don't have recent experience of Turbo C++, but 4Mb still sounds light. Even my aged Turbo C vs. 2 takes up the best part of 2Mb. Could this have been the Borland Visual Solutions Pack? I've never heard of Borland being implicated in any virus spreading incident: if the disks are original disks, previously unused or, if used, write-protected, the risk of any virus infection from them is negligible. : Half way : through the installation, he received a hard disk error message and quit : the installation. I assume this is a disk read/write error. This could be due to * The installation routine needing more space than was available to unpack compressed files. This is particularly likely on a compressed drive, where the amount of drive space left can not be calculated to the last byte but changes dynamically. If it's not a compressed drive, it's less likely, at least with a Borland installation, which are usually pretty well-written. * A hardware problem with the drive. Viruses don't usually generate this sort of problem when they *infect*, though they might when they *trigger*. : The next time the computer was booted up, it had changed the load : sequence, Do you mean it was running the same programs in a different order, or that it wasn't running everything it ought to? If the latter, this might well be explained by a : changed the color of the screen, Is that in applications, or at the DOS prompt? It may be that ANSI.SYS was installed previously, and used to change the screen colours at the DOS prompt. In that case, it's likely from the description of the symptoms here that either CONFIG.SYS or AUTOEXEC.BAT has been lost or modified. :asks for the date and time each : time you boot up That sounds like a missing AUTOEXEC.BAT. It may have been trashed while the installation routine was trying to modify it. Look for files in the root directory with names like AUTOEXEC.BAK, AUTOEXEC.001 etc.: it may be possible to put it back together fairly painlessly from that. It may be worth checking if CONFIG.SYS is there at the same time, and if not, seeing if it can be reassembled from CONFIG.BAK etc.. : and appears to have erased some of the custom database : files. Have you actually checked that the files are physically there? If you're getting FILE NOT FOUND or something similar, it may be the required files are no longer on the command path, which would be a likely consequence of a trashed AUTOEXEC.BAT. : Is this a virus and, if it is, what program can he purchase to clean it up? Not impossible, but not the likeliest problem. However, he should certainly invest in some virus protection. It's possible to get some excellent shareware/freeware packages, but perhaps in this case it would be worth buying a reputable commercial package with printed manual, monthly or quarterly updates, and proper telephone support. I'd suggest F-Prot Pro or Dr. Solomon's AntiVirus ToolKit. However, I'll mail you an FAQ with some resources information. The FAQ for this newsgroup is also well worth reading (and referenced in the FAQ I'm sending you). You should also consider the possibility that the hard disk is either physically damaged in some way or has sustained damage to the directory structure. Depending on which version of DOS/Windows he may be running, you could start by running SCANDISK or CHKDSK to see if they report any errors. If so, it may be appropriate to ask for further advice before accepting any suggestions of remedial action offered by those programs. By all means mail me, if you wish. : If you could respond directly to my e-mail address it would help me : facilitate this for him since I can't always access the newsgroups. Done. David Harley Support & Security Analyst ICRF ------------------------------ Date: Fri, 29 Mar 1996 14:08:35 +0000 (GMT) From: "Steven C. Zinski" Subject: Re: Date set to 2096--virus?? (PC) X-Digest: Volume 9 : Issue 44 In article <0031.01I2V51VSHUQS24DPB@csc.canterbury.ac.nz>, bc6571@scs.ubbcluj.ro says... >Does anyone know of a virus that sets the date & time control forward? >(ex: to 2096). If you try to set back the date your c: drive's FAT will be >damaged. The only way (that I found) to correct this error is: reboot from >a floppy and run the NDD.EXE and some of the files will be damaged, OR set >the time back to 2096 !? > >I tried to find the "bug" with F-Prot 2.21 and Tbav650 without success. >I need emergency help. > >(My battery isn't dead!) I work at a university and have come across numerous instances of the date jumping ahead 100 years. Unlike your problem, we (University Computing) have never had a problem setting the date back to the correct year. We have a suspicion that the problem is caused by a buggy program. We regularly use Eudora, WinQVT, Netscape, Trumpet Winsock and Word Perfect (Perfect Office). We also have F-PROT and VIRSCAN loaded on the affected machines and no virus has ever been detected. Changing the date back to 1996 seems to fix the problem. If you are able to nail down the cause of this problem, PLEASE let us know! --Steve ------------------------------ Date: Fri, 29 Mar 1996 11:00:58 -0500 (EST) From: Richard Buchanan Subject: Trabajo_hacer.b Virus (PC) X-Digest: Volume 9 : Issue 44 Our network is showing occassional infections of "trabajo_hacer.b (MBSR virus) which is the name given by Norman Data Defense Systems v.3.50 (espejo by F-PROT). I have heard some "rumors" that the virus must be removed by April or it will cause some HD damage. Have you heard anything; when/where created and if there is anything to the "rumor" concerning April? Appreciation in advance for your efforts. Richard Buchanan ------------------------------ Date: Fri, 29 Mar 1996 11:52:16 -0500 From: Peter Young-Hong Subject: ripper virus (PC) X-Digest: Volume 9 : Issue 44 I have a ripper virus. I tried using FPROT to clean the virus. However, FPROT returns the message "ALERT! Multiple sections infection have been found. This means that the section which should contain the original boot sector is itself infected. FPROT will not attempt to remove the virus." Can I clean this virus without formatting my hard drive. Thanks in advance. ------------------------------ Date: Fri, 29 Mar 1996 19:42:28 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: RITT.6917 virus--false positive from SCAN 2.2.11? (PC) X-Digest: Volume 9 : Issue 44 Patrick Noyens writes: >While scanning my system with SCAN V. 2.2.11 I got some files infected >by the 'RITT.6917' virus... at least that's what McAfee 's SCAN told >me. > >I scanned my system with several other major scanners : [snip] >I scanned with these scanners after cold-booting from a clean system >disk. > >None of the scanners reported an infection. So, could this be a false >possitive from McAfee's SCAN V. 2.2.11 ? Yes it was and thank you for bringing it to my attention directly. We removed the offending files and the package which has since been available since March 19th no longer has this problem. That package is numbered 22C. Jimmy cjkuo@mcafee.com ------------------------------ Date: Fri, 29 Mar 1996 19:36:51 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: 10b7 (PC) X-Digest: Volume 9 : Issue 44 "Stephen E. Clarke" slcfv@cc.usu.edu writes: >Does anyone know if any other virus detection program currently detects >and cleans the 10b7 virus besides microsoft anti-virus. Also I recently >purchased Warcraft 2 and it appears that the save game files become >corrupted with this virus directly from the game executable. Has anyone >else experienced this. No one outside of Symantec seems to know what Central Point called the 10b7 virus. And you'd be hard pressed to find anyone at Symantec who does either since they support NAV much more than CPAV. So we can't answer the first issue. But the second issue is that this whole thing is probably a false id as it has been reported as a false id for years now. Jimmy cjkuo@mcafee.com ------------------------------ Date: Fri, 29 Mar 1996 15:06:25 -0400 (EDT) From: Kim Graham Subject: Junki Virus: Infection (PC) X-Digest: Volume 9 : Issue 44 I am asking for assistance to combat a virus (or possible re-infection) called "JUNKI". Following is a short run down of the system and problems. I am on a job placement at Sheridan College. (Co-op Student) The network (single room) consists of 20 PC's. We are running on a Novell 3.12 and 4.10 platform. There is a dual boot option for the original DOS 6.2 / Win 3.11 or Windows 95. The problems started with a warning when booting into 'original DOS/Win 3.11'. "The following file is missing or corrupted: COMMAND.COM" "The following file is missing or corrupted: COMMAND.COM" "Type the name of the command interpreter (e.g., c:\windows\command.com" "C>" I restarted the computer with a Novell Boot Disk (write protected). The command.com was visible on the 'C:' drive. Next I used McAfee's 2.3.0 and scanned the hard drive. It found and cleaned the "junki virus". This virus attached itself to any file with a ".com" extension, including Netware IPX.COM, DI.COM.....also were infected were the Win95 files having any ".com" extensions..... After cleaning I rebooted from the hard drive. The same messages came up. I used clean files and overwrote each of the ".com" files. The fix seemed to take hold. The only problem was an enviroment error when opening a DOS prompt from Windows 95. I thought that to be a configuration error. A week later the same computer has the "command.com" missing or corrupted. I rescanned the hard drive with the same McAfee's scanner after booting from a Boot Disk. It found no infections. Can anyone give me some help. I.E. Has anybody come across this virus and how do you combat it? Do you think this is just a hardware problem the second time around? Should I just reformat the drive and wish it good-bye? (doing that when I had a "monkey virus" caused alot of unnecessary work) Thanks. You can reach me @ kimberley.graham@sheridanc.on.ca **************************************************************** Kim Graham e-mail: Novell & Teleconference kimberley.graham@sheridanc.on.ca Lab Technician Voice Mail:(905)815-4040 X3742 **************************************************************** ------------------------------ Date: Fri, 29 Mar 1996 12:00:32 -0800 From: Andrea Brenton Subject: mem = 639K (PC) X-Digest: Volume 9 : Issue 44 I have a system (Acer Altos 486sx/33) that shouws only 639K total convential memory. Usually that means a virus. I have scanned, done fdisk /mbr, but alway comes up the same. Am I missing something? Please send me e-mail directly, as our new server seems to be a few days behind. Thanks abrenton@hurwitz.com [Moderator's note: For some machines 639KB is 'normal". This is discussed in the FAQ if you are looking for coverage of how to tell if 639KB is normal for your PC.] ------------------------------ Date: Thu, 28 Mar 1996 12:04:07 +0000 (GMT) From: Jan Hruska Subject: Re: Virus??? (PC) X-Digest: Volume 9 : Issue 44 >To see a world in grain of sand, and heaven in a wild flower >Hold infinity in your hand >And eternity in an hour > >The virus 16\3\91 > >I have tried a clean boot disk. but it won't recognise my hard disk. >My virusscanner is also unable to access my hard disk. You have had Maltese Amoeba, a.k.a. 'Irish' or 'Grain of Sand'. Infects COM and EXE files, memory resident. A destructive fast infecting polymorphic virus which overwrites the first four sectors of tracks 0 to 29 of the hard disk and any diskette in the disk drive, if the date is 1st November or 15th March of any year. A psychedelic screen effect follows. When the machine is powered up, a fragment of a poem (The Auguries of Innocence) by William Blake (1745- 1827) appears on the screen and the machine hangs. Infection happens at load-and-execute and file close. For full analysis see Virus Bulletin, December 1991. >What to do? If you need the data from the hd, you or a (usually expensive) data recovery company could salvage a good deal of it. Otherwise, low level reinitialise your hard disk and restore from backups. Make sure that you use a positively uninfected restore program and then virus check the restored files. ------------------------------ Date: Fri, 29 Mar 1996 22:32:59 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Readiosys - is it real? (PC) X-Digest: Volume 9 : Issue 44 Cy Ulberg writes: >I inherited an old computer at work that Intel virus software labeled as >infected with "readiosys." When the hard drive was disinfected, >everything on the c: drive was corrupted. The same thing happened to a >floppy I tried to disinfect. I find various references to "readiosys" as >a well-known false positive on the Web. If it is well-known, why does >the latest version of Intel software detect it, and corrupt disks? The >same software says my home computer is also infected. Before I crash >another hard drive, I'd like to find out what is going on. I haven't yet >received a satisfactory response from Intel. Can anyone help? Intel OEMs this software from Trend Microsystems. Trend has recently (or maybe not that recent) opened offices in CA. Give them a call. Jimmy cjkuo@mcafee.com ------------------------------ Date: Sat, 30 Mar 1996 08:28:33 +0000 (GMT) From: Chana Rossman Subject: Intermittant Problems with No Apparent Cause (PC) X-Digest: Volume 9 : Issue 44 I am encountering some strange computer problems at work, and although I'm not conviced we've encountered a virus, I thought I'd investigate the possibility. This message is rather long (sorry) but I tried to include as much information about the problem as I could. I'd appreciate any suggestions you regarding this as I am about out of ideas. Here's the environment: Our department maintains seven college computer labs containing various types of computer hardware. In one lab, we have 20 486 DX computers running DOS v 6.22. We are also running Windows for Workgroups. (We have an isolated Ethernet network if it matters...) Recently, we installed Microsoft Office. The software on the computers is identical on every system. (We setup one master system at the beginning of the quarter, then electronically transfer data to each of the other systems through a parallel connection.) The Problems: I realize that I may be dealing with several different problems -- but I am listing all of them just in case: * Occasionally, when students attempted to change fonts in Windows based programs, the application crashs. It is not isolated to a particular font. The errors seemed random. * On over half the systems, Excel is giving an error saying one of the library files is missing. - We examined directory lisitngs of working machines vs. non-working machines -- no difference in file count, file size, or file dates. - We FDISKed and reformatted the computers which were having problems. We then copied the data from a working machine to a non-working machine. Excel worked. Within one day, Excel failed again. - We reinstalled MSOffice from the installation disks. Excel worked. Within a day, Excel started failing again. * On over half the systems we are experiencing file corruption. One day everything will be fine. The next day, files are corrupted. Once one file becomes corrupted, it is as if a cascade failure occurs! (Note: which files that are corrupted on each system vary. Some of the corrupted files on some sytems are Windows related. On other systems, its the DOS based aps) We have compared the CMOS settings between working and nonworking machines -- there are no differences. We have checked the specific hard drive make and models in the various computers -- there are no differences. And yes, we have run virus scans (F-PROT and McAfee) -- nothing has shown up. Does anybody have any ideas virus or otherwise? I'd be very happy to hear them! Thanks in advance Chana bonney@interpath.com ------------------------------ Date: Sat, 30 Mar 1996 10:40:24 +0000 (BUE) From: ruben@ralp.satlink.net Subject: Re: Virus??? (PC) X-Digest: Volume 9 : Issue 44 Fri, 15 Mar 1996 19:33:14 +0000 (GMT) Herbert Slaghekke wrote: >Can anyone tell me what the following message on my screen means? > >To see a world in grain of sand, and heaven in a wild flower >Hold infinity in your hand >And eternity in an hour > >The virus 16\3\91 You're (regretably) infected with "Grain of Sand" virus. Also called "Maltese Amoeba" or "Irish". This program is a resident .exe and .com infector. Activation date is November 1st and March 15 and the virus overwrite boot areas of the hard disk. After overwriting, hangs the machine and displays the poem that You describe above. >I have tried a clean boot disk. but it won't recognise my hard disk. >My virusscanner is also unable to access my hard disk. > >What to do? I suppose that other AV packages could help You well. You don't describe which one You use but give a try to: - Integrity Master v 2.61b - F-prot v 2.22 Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben M. Arias _ _ _ | ) |_| | |_) | \ | | |_ | E-Mail: Ruben@RALP.Satlink.net Buenos Aires - ARGENTINA RALP - Computer Security - Virus - ------------------------------------------------------------------------------ ------------------------------ Date: Sat, 30 Mar 1996 09:17:52 -0500 From: Mike Michalowicz Subject: Re: LAN-based virus protection advice wanted (PC) X-Digest: Volume 9 : Issue 44 Glenn Rabut wrote: > We are a graduate school of social work with a Novell LAN with 2 file > servers and approx. 200 nodes, including 2 computer labs. We would > like advice on LAN-based virus protection schemes that you have found > successful. We are interested in: > > 1. Ease of installation and maintenance of virus updates. > 2. Cost > 3. Effectiveness > 4. Availability of updates when new viruses appear > > What has worked well for you? Thanks for your assistance. In my experience,(I have installed about 50 LANs with some sort of virus protection), the following approach is the best: 1. Install both an NLM (on Novell systems, ofcourse) anti-virus engine on each and every server, and install a disparate anti-virus engine on each workstation. The reason you want two different packages from two different manufacturers is that they often use different scanning algorythms and signatures, hence increasing your chance of still detecting the virus even if one scanner misses it. The best combo of products out there are Intel VProtect NLM for your server (it does ship with a workstation client, but to better your protection I would not use it), and McAfee ViruScan for your workstation. 2. Updating VProtect is a soooo easy. Just copy the new signature pattern into the Vprotect directory. That's it! To disseminate the McAfee updates, you can write a simple Batch file (using the DOS replace.exe command for example). 3. Cost - There probably are cheaper alternatives, but this one is cost effective. This, I feel, is the best protection out there. If you want to protect hundreds of thousands dollars worth of data this is the way to go. If you need help, you may contact me. Mike Michalowicz Inter-Com, Inc. ici@planet.net P (201)252-1100 F (201)252-9119 ------------------------------ Date: Sat, 30 Mar 1996 10:23:40 -0800 From: Evan Hand Subject: Re: Disappearing Partitions (PC) X-Digest: Volume 9 : Issue 44 Chaim Krause wrote: > I was hoping someone could shed some light on this for me. It is > probably a hardware problem, but last night it happend on a second > machine and made me wonder if it might be a virus. > > I have read every posting in this newgroup that my news server carries > and can't find anything related, so I felt a new poting was in order. > > Here is a fairly detailed description of my problem. There are some > things that I am sure I am leaving out, but as I wasn't planning on > having these problems I didn't keep a diary [snip] I have had simalar problems in up-grading my machine. I was able to solve the problem by contacting the drive manufacturer through the Web. I would reccomend that you do a web search for your drive manufacturer and look for help there. I was able to find the up-dated software for my drive on the web server, downloaded it and have not had problems since. I was also able to find specific setup information for a friends machine/drive combination that I was asked to repair in the same way. Good-luck in solving your problem, Evan ------------------------------ Date: Sat, 30 Mar 1996 20:41:53 +0000 (GMT) From: Paul Hollinger Subject: NAV updates (PC) X-Digest: Volume 9 : Issue 44 I m running win 3.1/dos 6.2 and have Norton AV, ver 3, installed. I m trying to update the program with the UPDATEME.EXE file that I d/l ed into a temp dir called c:\nav1st. When I go to the c prompt and type (as noted in the READ ME file directions) update c:\nav1st I get a msg stating bad command or file name . I don t know what to do now. Any/all help would be greatly appreciated!. Have asked other groups & Norton for help on this but have gotten no response. (BTW, this is my 1st attempt at updating the Norton AV program)....Thanx, Paul. ------------------------------ Date: Sat, 30 Mar 1996 16:41:01 -0700 From: "James R. Bunch" Subject: Re: Winword/Scanprot/FProt questions (PC) X-Digest: Volume 9 : Issue 44 Charles M. Robinson wrote: [snip] : The problem is this: We've downloaded the "scanprot" file from Microsoft : which scans all .DOC files and "cleans" them of this macro virus. Lo and : behold, the documents no longer affect the operation of Word. This is good. : What is BAD is, F-Prot still finds the string in the .DOC files and still : reports them as infected with the CONCEPT virus. [snip] I've run into similar problems with macro fragments left by the old Micro$loth scan document & Vi-Spy. The fragments the scanner doc left were enough to trigger Vi-Spy. The newer scanprot.dot scanner seems to have eliminated the problem with Vi-Spy, but obviously not with F-Prot. I think we'll be seeing these problems for a while now, at least till the AV vendors get 100% up to speed on _both_ detection and cleaning. - - - ---------------------------- James R. Bunch "A Byte is a terrible thing to waste ... jbunch@primenet.com ... a MByte 1048576 times worse" PGP Key available via finger PGP Key fingerprint = B5 31 10 77 BF B0 FD B2 10 54 CB E6 13 7C 26 58 - ----------------------------- ------------------------------ Date: Sat, 30 Mar 1996 20:07:29 -0700 (PDT) From: eriko@phoenix.net Subject: 636k total base memory...virus? (PC) X-Digest: Volume 9 : Issue 44 I am running Win95 *shudder* and whenever I run a dos prompt and type mem I come up with 636k _TOTAL_ base memory. This didn't happen before, so something must have happened. I also received a message that my master boot records were changed and that might be from a virus. When I reboot in MS-DOS mode I get 638k total base memory. I have run McAfee scan for Windows ver 2.2.9 and it doesn't detect anything. Does anyone have any ideas? Thanx, email replies would be great! ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 44] *****************************************