VIRUS-L Digest Monday, 8 Apr 1996 Volume 9 : Issue 45 Today's Topics: Administrivia (ADMIN) SWAMP - An April Fools Virus Hoax (PC) Re: QUESTION: Email Viruses Re: McAfee Dishonesty Mcafee 2.2.11 Word DOC problem? Re: Is MEANING.EXE a Trojan horse? What REALLY matters in Commercial Anti-Virus Software Re: QUESTION: Email Viruses Re: How to Contact Command Software Re: Trojan? - "Meaning of Life" AV to check Internet Mail? Help with resources for computer virus paper Re: What REALLY matters in Commercial Anti-Virus Software Re: help- possible virus that causes auto reboot Re: help- possible virus that causes auto reboot Re: Can two hard drives help keep viruses controlled? Re: Trojan? - "Meaning of Life" vsumx603.zip Virus Information Hypertext Summary List Possible danger to Flash BIOS and ROM LAN antivirus for Windows NT (NT) Re: One byte added to .EXEs in Explorer (WIN95) Re: McAfee 2.0 for Win95 "feature" (WIN95) Re: McAfee 2.0 for Win95 "feature" (WIN95) Virus or not (WIN) Re: A small change to Word for Windows (WIN) Re: Wanted TSR checks A: as used (PC) AntiEXE virus (PC) Re: Is ARJ 2.8 a trojan? (PC) Re: Possible virus--adds to command.com (PC) SPIRIT infection! (PC) Re: Help w/ possible boot sector virus (PC) Re: HELP stoned.michelangelo virus!!! (PC) Re: Floppy Disk TSR scan software (PC) 1200 virus - how to remove? (PC) Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC) Re: Wanted TSR checks A: as used (PC) HELP with unknown virus (PC) AntiCMOS virus (PC) Effectiveness of DOS Scanners in Win95 (PC) Re: Wanted TSR checks A: as used (PC) Re: An aftereffect of Natas (PC) Re: "Dis is one half" messages-Virus? (PC) Re: NYB Virus (PC) Re: Is ARJ 2.8 a trojan? (PC) 639K mem (PC) Re: Directory problem (PC) Re: Wanted TSR checks A: as used (PC) Ripper question (PC) Viruses that reset top of memory (PC) Re: Jackal.B (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 08 Apr 1996 00:25:07 +1200 (NZT) From: Nick FitzGerald Subject: Administrivia (ADMIN) X-Digest: Volume 9 : Issue 45 Please folks--no more "is PKZIP300 a virus" or "PKZIP300 is a virus" posts. I've answered many personally, and will not approve anymore of them for posting unless something new comes up. If you want the low-down on this issue, contact PKWare themselves (http://www.pkware.com is a good place to start if you have a web browser). Another "hot" issue, though with noticably fewer messages, has been the "SWAMP virus". This appears to be another hoax virus warning, somewhat along the lines of Good Times. I guess a good indication of it being a hoax is that it has been posted nearly everywhere -except- where the virus experts typically hang out... For a critical look at part of it, see the following message forwarded to the list by Tom Zmudzinski. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83 ------------------------------ Date: Tue, 02 Apr 1996 07:51:04 -0500 (EST) From: Tom Zmudzinski Subject: SWAMP - An April Fools Virus Hoax (PC) X-Digest: Volume 9 : Issue 45 _____________________________ Forward Header _____________________________ Subject: [C4I-Pro] An April Fools Virus Hoax-no joke Author: David M Kennedy at smtp Date: 4/1/96 6:11 PM There's a new virus hoax making the rounds, it has not yet hit the big time like Good Times, but it's still a hoax, semi-believable and has the potential to become another Good Times. The purpose of this message is to educate others to recognize the hoax for the joke that it is. The hoax virus is called Swamp. There is no such virus. In the alert are several references to today's date. Perhaps a big tip off to the silliness of it is in this paragraph: > Background > Experts in many countries have been working on ways > to improve the carrying capacity, or bandwidth, of existing > networks using techniques such as multiplexing. > Scientists from the Avril Institute in Bern, Switzerland, > have developed a technique whereby a small number of > molecules of various substances can be attached to data > at the bit level. Their goal is to cease using the bit as > a data item and to use it merely as a carrier for the data. > The data is physically mapped onto the molecules using > the protons and electrons, the neutrons and neutrinos > being used for control information and parity checking. > > Use of this technique will expand the capacity of a > network by the data capacity of the molecules. The data > carrying capacity of the bit will depend on the size of the > attached molecules. The only identified drawback with > this development is that a high speed communications > link is required. This is because the molecules must > remain in a gaseous state to stay attached to the bit. > To remain in this state they require the friction - and > consequent heat - developed by the high speed link. > As soon as the friction and heat are removed the > molecules condense and lose their data carrying > capacity as well as their attachment to the bit. Regards, Dave Kennedy [US Army MP] [CISSP] ------------------------------ Date: Sun, 31 Mar 1996 14:57:39 From: ruben@ralp.satlink.net Subject: Re: QUESTION: Email Viruses X-Digest: Volume 9 : Issue 45 Tue, 12 Mar 1996 23:15:21 +0000 (GMT) Greg Rice wrote: >I'm wondering, why isn't an email virus possible? I read that no one >really needs to worry about loading an email message from a service >like AOL or Compuserve and recieving a virus on their home PC. I suppose You're thinking in a on-line compilation when message is recieved by the user. I suppose too that this could be possible in Unix. Are You thinking in Virus or Worms ??? >Wouldn't it be possible to write code that is an attached .EXE file and >is called into downloading itself by the 'read mail' action of the >service provider? You need a very special OS to do this (see above). Thanks GOD exist a VERY large diversity of software for e-Mail. The virus should be well programmed to include all the possible environments in which survive or replicate. Thanks GOD nobody programmed this yet. >I realize that if there was such a code, it would be service provider >specific, but it seems plausible. Plausible but difficult. I really Hope that people do MORE productive things that program some kind of evil. [BTW, don't give they good ideas! :-) ] Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben M. Arias _ _ _ | ) |_| | |_) | \ | | |_ | E-Mail: Ruben@RALP.Satlink.net Buenos Aires - ARGENTINA RALP - Computer Security - Virus - ------------------------------------------------------------------------------ ------------------------------ Date: Sun, 31 Mar 1996 21:33:30 +0000 (GMT) From: "Derek V. Giroulle" Subject: Re: McAfee Dishonesty X-Digest: Volume 9 : Issue 45 Hunter wrote: [your Mc Afee ordeal snipped] >One of my main considerations in purchasing the McAfee Viruscan was its >two-year free updating service. It's rather disingenuous of them to >nullify that promise almost immediately after my purchase. It took two >months to figure out what was happening, not counting the frustrating >hours confronting their BBS and the exasperating "Out of Memory" message >from VShield. I'd like to get a refund, but can't get any response from >them. You might of course leave them some more possibilities then just a refund, you might get some possitive reactions. There's some McAfee staff on this conference and in alt.comp.virus, you might retrieve some email addresses out of that and write then directly. Dirk.Giroulle@ping.be http://www.ping.be/~ping0010 Life is like a peepshow, through a little window you never get to see what you went in for (based on fvu's definition of panning) ------------------------------ Date: Mon, 01 Apr 1996 02:03:53 +0000 (GMT) From: John Bongiovanni Subject: Mcafee 2.2.11 Word DOC problem? X-Digest: Volume 9 : Issue 45 For some reason I can't get Mcafee Scan 2.2.11 to reliably scan for macro viruses in Microsoft Word DOC files. For example, if I'm in a subdirectory with other subdirectories under it which contain DOC files, the command SCAN *.* /SUB only seems to scan DOC files that are in the same directories as EXE files. Also, the command SCAN *.DOC /SUB doesn't find anything to scan, though there are plenty of DOC files there. These behaviors are verified by using /RPTALL. Am I doing something wrong, or is there something wrong with SCAN? - - FINGER for PGP public key - John T Bongiovanni ------------------------------ Date: Mon, 01 Apr 1996 11:27:08 +1000 From: Anthony Hancock Subject: Re: Is MEANING.EXE a Trojan horse? X-Digest: Volume 9 : Issue 45 Regarding the Meaning of Life program: I isolated my machine, tried it and then scanned my PC afterwards. No apparent damage. It is just a cute little annoying VB program, I don't think it has malicious intent. Tread carefully though, In case I am wrong... ------------------------------ Date: Sun, 31 Mar 1996 22:30:29 +0000 (GMT) From: Iolo Davidson Subject: What REALLY matters in Commercial Anti-Virus Software X-Digest: Volume 9 : Issue 45 In article <0002.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz> 74777.171@compuserve.com "Enrico DePaolis" writes: > Take a look at the EMD Armor line. It is different then the rest > of the AV pack. Prevention is stressed and we don't get you > on the updates. Heck we don't have updates since we tackle > the virus before it attacks the system. I'm sure I saw you claim that the EMD package could be updated in another newsgroup. Most AV software also tackles the virus before it attacks the system, by the way. All you have to do is scan software and disks before using them. Some software packages have resident programs that do this automatically. - - WE CAN'T BUT WE DO SUPPLY PROVIDE YOU THE BEST DARN BAIT WITH A DATE Burma-Shave ------------------------------ Date: Mon, 01 Apr 1996 14:09:39 +0000 (GMT) From: Richard Evans Subject: Re: QUESTION: Email Viruses X-Digest: Volume 9 : Issue 45 Greg Rice (wyldryce@ix.netcom.com) wrote: : I'm wondering, why isn't an email virus possible? I read that no one : really needs to worry about loading an email message from a service : like AOL or Compuserve and recieving a virus on their home PC. : Wouldn't it be possible to write code that is an attached .EXE file and : is called into downloading itself by the 'read mail' action of the : service provider? : I realize that if there was such a code, it would be service provider : specific, but it seems plausible. A virus can only work if the receving computer is tricked in to running some infected code. This could be done by attatching an infected file to the mail message, but you would still need to run the infected file for the virus to work. Anothe possability is to include an ANSI escape sequence, to re define one of the keys on your keyboard, to do somthing that loads the virus. This is unlikly because very few machines would be set up with enough environment space for this to work. If you are paranoid about this then don't load ANSI.SYS. I have also heard that Netscape can be set up to do some undesirable things, but I don't know the details. Hope this answers some of your questions. Richard. [Moderator's note: One "udesirable thing" to do in Netscape or any other Mac or Windows application would be to automatically launch Word 6 (or 7 under Win95) to view what the app "thinks" are Word documents as they are received/opened/extracted.] ------------------------------ Date: Mon, 01 Apr 1996 09:23:16 -0500 From: Megan Squire Subject: Re: How to Contact Command Software X-Digest: Volume 9 : Issue 45 You can contact Command Software Systems at the following: 1061 E Indiantown Rd. #500 Jupiter, Fl 33477 (407)575-3200 (800)423-9147 http://www.commandcom.com sales@commandcom.com service@commandcom.com support@commandcom.com We thank you for your support, and for your interest in our products. -megan alexander malexander@commandcom.com ------------------------------ Date: Mon, 01 Apr 96 09:18:08 From: richardb@intecolor.com Subject: Re: Trojan? - "Meaning of Life" X-Digest: Volume 9 : Issue 45 On Thu, 21 Mar 1996, John Elsbury uttered: > I have had a couple of instances of people receiving a ZIPped Email attachment >- MEANING.ZIP - which they are invited to unpack and run. > > I have told staff not to run programs they don't trust... > Has anybody else come across this? yes, John. This is a "brain-teaser" application that runs under windows which has a button that moves away as your mouse gets close. The version that I have seen is MEANING.EXE, 197,376 bytes large. It is not worth running, since it is just one of those "IQ tests". The version here contains no virus, nor has it caused any damage in a controlled environment. (Incidentally, it fails under Win V4.0 (BETA) for some unknown reason - but I will not be investigating the reason. Maybe the author can try to fix it when he gets out of school for the summer ) Your advise is still good. Why bother with these joke programs? The risks far outweigh the benefits. Ein seliger Sprung in die Ewigkeit. ------------------------------ Date: Mon, 01 Apr 1996 14:00:02 -0500 From: Doug Burnett Subject: AV to check Internet Mail? X-Digest: Volume 9 : Issue 45 I am looking for a antivirus product that will check Internet mail attachments. I do not want software that runs on the PC but prefer something that either runs on the Novell server or the mail server itself. We have two different configurations. In the first case Internet mail to picked up by cc:Mail s Link to SMTP and moved immediately to the cc:Mail post office for distribution through a Novell 4. In the other, mail is picked up via UUCP by a mail server running LINUX and then distributed to users over Ethernet using FTP. Doug Burnett dburnett@booth-news.com Booth Newspapers Ann Arbor, MI ------------------------------ Date: Mon, 01 Apr 1996 16:02:54 -0500 From: SM014500 Subject: Help with resources for computer virus paper X-Digest: Volume 9 : Issue 45 I am in need of Help I have a research paper due on 4/15/96 on Computer Viruses. My thesis statement is...Computer Viruses can be anything from entertaining to dangerous. Now that I have actually started my research I have come to the conclusion that my surrounding area has less than 4 books on the subject! I can change my subject but I will lose 10 points for doing so. I am stuck! I have come up with an outline which follows Computer Viruses I How created a) creators b) Why created c) How created II How they work and affect computer a) Where they affect b) Different aspects of computers III How much damage can they do a) Different types b) Non dangerous Viruses c) Dangerous Viruses I would appreciate if you could send me in the right direction or any help You have to offer Please mail me I am in my senoir year and this is a requirement to graduate. please help me out. [Moderator's note: I've already pointed the poster to the FAQ and the references therein.] ------------------------------ Date: Mon, 01 Apr 1996 17:39:58 -0500 From: Doug Muth Subject: Re: What REALLY matters in Commercial Anti-Virus Software X-Digest: Volume 9 : Issue 45 In article <0002.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>, Enrico DePaolis writes: : Take a look at the EMD Armor line. It is different then the rest : of the AV pack. Prevention is stressed and we don't get you : on the updates. Heck we don't have updates since we tackle ^^^^^^^^^^^^^^^^^^ : the virus before it attacks the system. Give it a try. If you : don't like it return it. That part really worries me, it sounds a LOT like something Zvi Netiv would say about his product. I'm not familliar with this product, but if it is an activity blocker, it would most definitely need updates for any new viruses that come out that could circumvent its protection. Any other AV people familliar with this product or who have tested it? Regards, - - - ------| Finger dmuth@oasis.ot.com for| "Est - -----| PGP public key and geek code | Sularus Anti-virus software and utils: | The Transformers fanfiction: | oth ~dmuth/virus/virus.html | ~dmuth/tf/tf.html | Mithas!" -=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- | ------------------------------ Date: Mon, 01 Apr 1996 17:44:47 -0500 From: Doug Muth Subject: Re: help- possible virus that causes auto reboot X-Digest: Volume 9 : Issue 45 In article <0006.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>, ebbtide@cris.com writes: : I am having a problem that I think might be a virus. Without even : touching my computer, not even running a program, the computer re-boots : itself. Sometimes I can be in the middle of running a program and it : happens. There doesn't seem to be any rhyme or reason, it just reboots. : : [Moderator's note: Without more details about the machine it is hard to : know where to start. There most likely are viruses that unintentionally : or otherwise cause unprompted, spontaneous reboots, but in my experience : with PCs (is this a PC??) such symptoms are more likely due to hardware : faults (flakey RAM for example), over-optimistic BIOS/chipset settings : (too few wait states maybe) or memory manager problems (check EMM386, : QEMM, etc settings).] I would like to add as well that it may be an IRQ/address conflict. I came across this problem on a system once with the modem and mouse sharing the same IRQ. Regards, - - - ------| Finger dmuth@oasis.ot.com for| "Est - -----| PGP public key and geek code | Sularus Anti-virus software and utils: | The Transformers fanfiction: | oth ~dmuth/virus/virus.html | ~dmuth/tf/tf.html | Mithas!" -=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- | ------------------------------ Date: Mon, 01 Apr 1996 23:00:17 -0600 From: "R. Zalk" Subject: Re: help- possible virus that causes auto reboot X-Digest: Volume 9 : Issue 45 It appears to be hardware or at least that's what I would check 1st. #1. Check to see if your reset switch is stuck or contacts are bad. #2. Use a program such as Checkit to check system board and memory operations. Reboot often occurs when memory is bad. Also, check if there are any interrupt conflicts. #3. See if you have added something recently; hardware or software. Often your last edition to your system is the cause of problems. Good Luck, R. Zalk E-Z Computer Consulting Ltd. ez-zone@netmedia.net.il ------------------------------ Date: Tue, 02 Apr 1996 06:42:38 +0000 (GMT) From: Steve VanSlyke Subject: Re: Can two hard drives help keep viruses controlled? X-Digest: Volume 9 : Issue 45 It depends on the virus, if it is coded to do so, it can search and infect all drives. Also if it is a memory resident virus it will infect, any file executed ( unless it's executed from a write protected disk or from a read only media, such as a cd-rom.) *** Primitive Explination *** Hope it helps. Grogan !!! ------------------------------ Date: Tue, 02 Apr 1996 12:02:54 +0000 (GMT) From: Dominic Mancini Subject: Re: Trojan? - "Meaning of Life" X-Digest: Volume 9 : Issue 45 John Elsbury (jelsbur@clear.co.nz) wrote: : I have had a couple of instances of people receiving a ZIPped Email : attachment - MEANING.ZIP - which they are invited to unpack and run. : : I have told staff not to run programs they don't trust... : Has anybody else come across this? As far as I know, "The Meaning of Life" is not a trojan [as long as we're talking about the same program] - I've run it with no apparent untoward effects. It's a little windows program which is vaguely amusing, just the sort of thing which would get passed around as an e-mail attachment. I woud most certainly agree that you can't afford to take risks with unknown software. The brief amusment from programs like "The Meaning of Life" is not worth the risk to your data. Dom - --------------------------------------------------------------------------- Dominic Mancini, am4501@bris.ac.uk | Electrical and Electronic Engineering +44 (0)117 968 1438 | Badock Hall Network Administrator | University of Bristol, UK ------------------------------ Date: Tue, 02 Apr 1996 11:47:37 +0300 From: ts@UWasa.Fi (Timo Salmi) Subject: vsumx603.zip Virus Information Hypertext Summary List X-Digest: Volume 9 : Issue 45 Thank you for your contribution. This upload is now available as 1005932 Mar 31 11:08 ftp://garbo.uwasa.fi/pc/virus/vsumx603.zip : Date: Mon, 01 Apr 1996 06:06:03 -0800 : From: Randy Young : To: pc-up@uwasa.fi : Subject: VSUMX603.ZIP, Patricia Hoffman's latest update. : : File name: VSUMX603.ZIP : One line description: Patricia Hoffman's Virus Summary for Mar., 1996. : Replaces: VSUMX602.ZIP : Suggested Garbo directory: /pc/virus : Uploader name & email: Randy Young rwyoun1@pacbell.com : Author or company: Patricia Hoffman : Email address: : Surface address: : Special requirements: : Shareware payment required from private users: Y : Shareware payment required from corporates: Y : Distribution limitations: None : Garbo CD-ROM distribution allowed: Yes : Demo: No : Nagware: No : Self-documenting: Yes : External documentation included: Yes : Source included: No : Size: 987094 bytes : 10 lines description: Patricia Hoffman's "hypertext" led summary of most known : viruses with detection method, removal method, what they : do, brief history of them and much more. Also includes : her evaluation of the various virus detection and : removal programs around. Updated March 31, 1996. : All the best, Timo .................................................................... Prof. Timo Salmi Co-moderator of news:comp.archives.msdos.announce Moderating at ftp:// & http://garbo.uwasa.fi archives 193.166.120.5 Department of Accounting and Business Finance ; University of Vaasa ts@uwasa.fi http://uwasa.fi/~ts BBS 961-3170972; FIN-65101, Finland ------------------------------ Date: Tue, 02 Apr 1996 12:45:26 -0500 (EST) From: "Rob Slade, the famous sleep deprivation experiment" Subject: Possible danger to Flash BIOS and ROM X-Digest: Volume 9 : Issue 45 [In the AV field, we have been aware of the potential dangers of Flash BIOS for some time. I have not yet checked for the report mentioned in comp.firewalls, but if this does turn out to be real it will be confirmation of the danger. (It is quite possible that the report concerns a less dangerous piece of malware, such as a trojan.) - rms] RISKS-LIST: Risks-Forum Digest Monday 1 April 1996 Volume 17 : Issue 96 Date: Mon, 01 Apr 1996 15:14:09 WET From: "J.R.Valverde (jr)" Subject: Flash ROM virus A recent posting in comp.firewalls describes a new kind of PC virus. This one zaps the flash BIOS of Pentium motherboards. What makes it more interesting is that on the Endeavour EV-2 motherboards this behaviour is a killer, it renders it unusable; see: http://www.mrbios.com/ftp/big_risk.txt As it seems, this particular motherboard features: "(1) Its flash ROM does NOT implement a write-protected failsafe recovery "boot-block". (2) The flash ROM is soldered directly onto the system board. If anything at all happens to the flash that causes it to be inoperable, no practical method exists to restore it. No "recovery" utility can be run if the system won't boot." I can't but wonder what kind of demential design gave birth to such a sensitive piece of hardware: the BIOS ROM in a PC is a fundamental part of it: without it the machine is totally unusable. A FlashROM is by definition writable, and as such one can expect that a variety of circumstances may erase or rewrite it with bad data. And there are many! Not having a protected recovery block is bad enough. But soldering it so it can't be replaced is something I can't but qualify as "evil" (or "greedy" at least). The RISKs? Just let your imagination run wild: viruses like the 'Flash_killed' one, programming errors (yes, I've zapped the BIOS config of a PC this way a couple of times), power failures, using the wrong BIOS image or loader for an update, etc... Any of them (and many more) will render the machine totally worthless. ------------------------------ Date: Mon, 01 Apr 1996 09:39:50 +0100 From: Bertrand de COATPONT Subject: LAN antivirus for Windows NT (NT) X-Digest: Volume 9 : Issue 45 I and my company are looking for a LAN antivirus for Windows NT, client-server if possible and allowing to launch viruses scans from the server to DOS, Win 3.11 and Win 95 workstations. I don't know whether this product is a dream or not ... If you can help ! Bertrand de COATPONT DESCO - Paris ------------------------------ Date: Sun, 31 Mar 1996 15:08:08 From: ruben@ralp.satlink.net Subject: Re: One byte added to .EXEs in Explorer (WIN95) X-Digest: Volume 9 : Issue 45 Sun, 17 Mar 1996 09:06:57 +0000 (GMT) Gil wrote: >Using Windows 95, every time I look at the properties of an .EXE file >the file gets one byte bigger. If I set the file to read-only this >increase is prevented, but I have no idea if other changes are >happening. McAfee's Vshield w/95 is active and does not see any virus >activity. I have also booted from a clean write-protected DOS disk and >run McAfee's Scan 229e and it sees no virus. I believe this is a >virus, but have no idea what virus, or what program introduced it. I >have had a friend try the same operation on his computer and he had no >file size increase when viewing properties. >Also tried ThunderByte with same negative result. Any help would be >appreciated. Because You're checking this with two AV packages I suppose this have NO virus relation. I also read similar problems with addition of two bytes in other message posted here. This is a software Bug that may be corrected. Relax. Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben M. Arias _ _ _ | ) |_| | |_) | \ | | |_ | E-Mail: Ruben@RALP.Satlink.net Buenos Aires - ARGENTINA RALP - Computer Security - Virus - ------------------------------------------------------------------------------ [Moderator's note: Indeed! See the post from Pete Turner (Pete_Turner@bakerbotts.com) with the Subject: "Bytes added to files (WIN95)".] ------------------------------ Date: Mon, 01 Apr 1996 15:16:12 +0000 (GMT) From: Benedict Tam Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95) X-Digest: Volume 9 : Issue 45 Zack Jones wrote: >>Score stands 1 with false alarms vs 1 without. Others? > >No false alarms and 1 positive hit on the anti-exe virus which was on >a floppy one of our customers brought to the office. > >The only odd behavior I've observed and I don't know if this is caused >by McAfee or something else, but everytime I shut down the computer it >tries to read the A Drive for a few seconds before I get the "It's >save to turn off your computer screen". > >Have you or anyone else observed this? I think it may cause by Norton Antivirus rather than Mcafee. ------------------------------ Date: Tue, 02 Apr 1996 18:01:24 +0000 (GMT) From: Thomas O'Donohoe Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95) X-Digest: Volume 9 : Issue 45 On 31 Mar 1996 16:09:56 -0000, Zack Jones wrote: >The only odd behavior I've observed and I don't know if this is caused >by McAfee or something else, but everytime I shut down the computer it >tries to read the A Drive for a few seconds before I get the "It's >save to turn off your computer screen". There is an option under the VShield properties to switch off scanning on shutdown. - - Thomas O'Donohoe http://www.users.dircon.co.uk/~mayo/ ------------------------------ Date: Sun, 31 Mar 1996 15:20:00 -0800 From: Vincent Taijeron Subject: Virus or not (WIN) X-Digest: Volume 9 : Issue 45 System: 486DX2/66 OS: dos 6.22 win 3.1 Problem: Can't tell if this a virus or a problem with windows. I'm inclined to think it's a problem with windows. This problem started about two days ago, up until that point this problem did not occur. It started after I entered the wrong registration code for a program called First Aid 95 which is supposed to run on win 3.1, when I rebooted the computer I got a GP fault. So I went and reinstalled it using the proper reg code, but still the same thing. So I decided not to use it and uninstalled it. I then got on the net and downloaded some window