VIRUS-L Digest Friday, 12 Apr 1996 Volume 9 : Issue 49 Today's Topics: Re: Mcafee 2.2.11 Word DOC problem? Re: Virus scanning tools running on Unix? (UNIX) Re: Calling All Experts? Help! (WIN95) Re: Identification (not detection): Dr Solomons vs F-Prot (PC) Re: Cmos-corrupting Virus (Monkey?) (PC) Scream 2b virus (PC) Re: Need Help Removing Stealth_C Virus (PC) Re: 634K of RAM--virus? (PC) Re: anticmos?? Help (PC) Re: how to get rid of Urkel (PC) Re: Jerus X (PC) Re: "loading bootstrap" message (PC) Re: McAfee Scan 2.3.0. Genuine? (PC) Re: WelcomB Virus (PC) Re: ANTI-CMOS virus (PC) Re: AntiCMOS virus (PC) Re: Could this be a virus? (PC) Re: Help: The IHC-virus does its work! (PC) Re: Multiple boot sector infections (PC) Re: Trabajo_hacer.b Virus (PC) Burglar 1150 virus on a Novel Network -- HELP!!! (PC) Re: MS Macro Virus Tool (PC) What AV software should I get? (PC) SVC Virus (PC) Re: !DELWINBOOT.sys (PC) Re: One Half virus - help! (PC) Re: Help with Diablo virus (PC) Re: Readiosys - is it real? (PC) Analyze.exe--Trojan Warning!! (PC) Telecom PT1 (PC) Re: Anti exe virus (PC) Where to get a virus check up grade? (PC) Re: An Aftereffect of Natas (PC) Re: Stoned that Went Away & AntiCMOS in SUHDLOG.DAT (PC) Re: "loading bootstrap" message (PC) Re: Urkel virus (PC) Re: Winword/Scanprot/FProt questions (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 10 Apr 1996 01:24:00 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Mcafee 2.2.11 Word DOC problem? X-Digest: Volume 9 : Issue 49 John Bongiovanni writes: >For some reason I can't get Mcafee Scan 2.2.11 to reliably scan for >macro viruses in Microsoft Word DOC files. > >For example, if I'm in a subdirectory with other subdirectories under it >which contain DOC files, the command > >SCAN *.* /SUB > >only seems to scan DOC files that are in the same directories as EXE >files. Also, the command > >SCAN *.DOC /SUB > >doesn't find anything to scan, though there are plenty of DOC files there. > >These behaviors are verified by using /RPTALL. Scan does scan the DOC files. But it figures out that they are not templates. So it doesn't take credit for "scanning" them. If it was a template, it would have scanned them. This is actually a matter in its reporting. The scanning activity actually does take place. >- - >FINGER for PGP public key - John T Bongiovanni Hi John. Jimmy cjkuo@alumni.caltech.edu, I mean cjkuo@mcafee.com ------------------------------ Date: Tue, 09 Apr 1996 20:43:04 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Virus scanning tools running on Unix? (UNIX) X-Digest: Volume 9 : Issue 49 Tom KC Basham writes: >I'm doing some work with an FTP site and we'd like the ability to scan >uploaded files on the server. (most of the uploaded files will be from the >PC world). Could anyone provide any leads on commercial/shareware/whatever >utilities? Please specify the UNIX you're running. As you probably know, one object module does not work for all *IX. McAfee offers a Linux and a Solaris (4, I think) scanner for PC viruses as would be used in your situation. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 01:44:13 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Calling All Experts? Help! (WIN95) X-Digest: Volume 9 : Issue 49 Janis Decker-Frisk writes: >I am running Windows95, I have Dr. Solomon's Toolkit for Win95 V7.55 and >a current version of PC-Cillian loading on start up and running in the >background. I have IBM Anti-Virus v2.4.1 set to scan the same time every >day. All anti-virus tools were installed properly. My CMOS is set to >not allow floppy boots and I scan all files I download or I insert into >my drives. I am very diligent, a year ago I had Anti-EXE on my system, >and I learned an expensive lesson. Now the problem, twice when I was >changing my color from 24 bit to 256 colors, I have encountered a >bizarre graphic. When I change the color settings the system need to >reboot, after it starts backup the screen freezes for a moment, and on >it is a graphic that consists of small multi colored boxes with >characters in them, the most predominate one is a "smiley face." What >concerns me is that I am quite sure I have seen an identical graphic on >a web page that had virus screen shots. The only other strange thing >going on with my computer is that there is a file that I cannot delete, >I have tried deleting it in DOS, in Windows, using Uninstaller, I have >tried renaming it, and changing the attributes, but I always get a >message "access denied." Also, just recently I noticed that all .exe >files I download off the Internet are corrupt. So, I had the line >checked, bought a new modem, and checked with my ISP, but still I have >this problem. I realize that these problems could be totally unrelated >to the graphic, but I am giving you all the dirt on my computer. I have >not received any indication from any one of the scanners that I have a >virus on my system. Any assistance would be greatly appreciated, I setup >peoples systems for Internet access and I would hate to think I was >infecting anyone's system. Please respond to me personally through my >e-mail as well as posting on Virus-L, if you have any suggestions. happy faces: that's the character associated with ascii 1. If you get a momentary flash of all smileys, it would appear that your memory is initialized to 1s. cannot delete files: there are many files that you cannot delete. They are usually hidden, system files. They usually are swap files or some other system related file. To remove them, you would have to change their attributes first. But you realy don't want to remove them. What's the name of the file you're interested in? AVTK + PC-cillin: are you saying that both are resident and active throughout? If so, pick just one. You should only be using one TSR/VxD at any one time. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 09 Apr 1996 20:25:03 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC) X-Digest: Volume 9 : Issue 49 Iolo Davidson writes: [some snipping] >Ok, I see your problem. You were testing against a collection of >viruses. FindVurus goes into a rapid "review" mode when it >encounters more than about ten different viruses on a computer. >It does this because the situation is an unreal one indicating >that someone is doing a performance test, not coping with a >genuine virus outbreak. > >If you want it to do the exact identification that it would >normally do, there is a command line switch that makes it stay in >precise identification mode. I think it is /IDENTIFY. > >> I do know that these examples are somewhat arbitrary, and I still do >> believe that both products are among the best in their class, but I also do >> believe that we can draw at least some conclusions from these results. > >The conclusion is that you ran it on a collection of viruses and >it went into "review" mode. The word "like" is the giveaway. I am constantly hearing about "independent reviews" which give S&S a very high ranking. Are you saying that they have a special mode to recognize when they're being tested? Are the reviewers told about this? Jimmy cjkuo@mcafee.com PS. I always thought my job was to help users. I guess I'll have to add "win reviews" to my job duties. *sigh* ------------------------------ Date: Tue, 09 Apr 1996 16:29:55 -0400 From: Doug Muth Subject: Re: Cmos-corrupting Virus (Monkey?) (PC) X-Digest: Volume 9 : Issue 49 In article <0027.01I37FTNL19GSH3CBI@csc.canterbury.ac.nz>, Wayne Shanks writes: : Ther is mow a full blown epidemic in the Maryland area (maby overstated, : but I know of over 70 computers at dozens of sites infected). This : Virus deletes the Cmos setup info. You can go back in and reset : everything, but at the next reboot you have to do it again. My father : helps run the computer lab at the elemantary school where he teaches. A : bunch of the computer in the lab had these problems, and he thought the : clock/cmos went bad. These computers were IBM PS2. He talked with a : tech support guy at IBM, and the Tech guy thought that it was not a : Hardware problem, but a new Monkey Virus. The guy said It has poped up : in the last 6 months. When my father told me about this, a light went : on. For the last 2 or three months I have been hearing dozens of people : complain about there Cmos droping out. Well, it would be of some help if you actually ran some AV software on these systems and told us what the results were. IMHO, it SOUNDS like a hardware problem, but is so widespread that unless this is a defective shipment of computers, that there is either a virus or trojan/worm at work. : Do you know how to kill it. Like any other virus. Find out what the medium of infection is, (MBR, COM/EXE, DOC files) and disinfect or delete where there are instances of infection. Regards, - - - ------| Finger dmuth@oasis.ot.com for| "Est - -----| PGP public key and geek code | Sularus Anti-virus software and utils: | The Transformers fanfiction: | oth ~dmuth/virus/virus.html | ~dmuth/tf/tf.html | Mithas!" -=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- | ------------------------------ Date: Tue, 09 Apr 1996 15:34:38 -0500 (CDT) From: JACKSON Subject: Scream 2b virus (PC) X-Digest: Volume 9 : Issue 49 Would appreciate any information about the subject Scream 2b virus. Have had it, thought I got rid of it (by complete format), only to have it back again. Would love to know how/if can rid of this one, once and for all. Norton's Anti-Virus found it and named it when Dos Anti-Virus did/could not. Appreciate any information about it, and/or how to get it gone. Thank you. Dan Jackson-- ------------------------------ Date: Tue, 09 Apr 1996 21:18:22 +0000 (GMT) From: "Walter C. Dove" Subject: Re: Need Help Removing Stealth_C Virus (PC) X-Digest: Volume 9 : Issue 49 Brian Clark wrote: >A soon to be ex-student has been downloading infected "porno" pictures >off the net and contracted this virus. It has spread through the school. Well, FWIW, your soon to be ex-student may have been downloading nasty pictures, but he didn't infect your machine that way. ["Infected" pictures? Infected with what, and what AV product has detected the infection? This'll be a first if verifiable!] Stealth_Boot.C is just that, a boot virus. Unless you've gotten an as yet unreported dropper (and droppers are rare -- none that I know of for any of the Stealth_Boot. family), your NT machine got it the old fashioned way -- boot from infected diskette (not necessarily a system diskette, just a formatted diskette -- in the DOS world, all formatted diskettes contain the bootstrap loader code in the boot sector [the bootstrap code is what is subverted by BSV]). >Fortunately, McAfee Scan was able to clean the virus from all but one >machine...my favorite Windows NT 3.51 workstation. According to Scan 95, >the boot record cannot be cleaned and I must report to McAfee for >removal instructions. Contact McAfee for help, then -- after all, you're paying them for the service. > Do I need to wipe out the hard disk and "volunteer" the >student to re-install NT(on 3 1/2s!)? Any information would be great! > Well, if you "volunteer" the student for reinstalling NT out of some punishment for infecting the machine, it's sort of unjust. As you say, it's all over your school -- common as dirt boot virus, probably all over your student labs. Volunteer the student for punishment re. misuse of computing resources if you wish, but don't BLAME his/her download habits for a common boot sector virus infection. rgds. wcd. ------------------------------ Date: Tue, 09 Apr 1996 23:43:38 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: 634K of RAM--virus? (PC) X-Digest: Volume 9 : Issue 49 Sayitmean writes: >I don't know the name of this virus, but my memory shows 634K. I can't >run the 32 bit access through windows. I looked on the FAQ but didn't see >any reference to it. Can someone help? You gave two symptoms which together do point to you having a boot virus. Please get a scanner and tell us what it says, or follow its instructions. Jimmy cjkuo@mcafee.com (download from http://www.mcafee.com) ------------------------------ Date: Tue, 09 Apr 1996 23:51:10 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: anticmos?? Help (PC) X-Digest: Volume 9 : Issue 49 philski@spirit.com.au writes: >help!!! I am running 486 dx4 120 award with 12 meg ram win 95. My problem >is that I get a "checksum error defaults loaded" and/or "cmos battery >failed" but it is a brand new mo'board and I have replaced battery since >first occ! "It is a brand new mo'board" which hasn't been tested enough. Chances are, the ports to your CMOS is bad or some of the data lines are crossed or grounded. (Or maybe the wires from the battery have fallen off.) Sadly, your most likely thing is that you need to replace the motherboard. You don't have the AntiCMOS virus, not by your description. AntiCMOS does not do anything to CMOS. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 09 Apr 1996 23:54:04 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: how to get rid of Urkel (PC) X-Digest: Volume 9 : Issue 49 Jim Wu writes: >My computer was infected with Urkel. Is there anyone knowing how to >get rid of it? Also, I couldnot have access to my D drive (harddisk). >Does this problem result from the virus? Yes. You may have to swap the wires on your drives so your D becomes C and clean your system again. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 09 Apr 1996 23:58:31 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Jerus X (PC) X-Digest: Volume 9 : Issue 49 "Luciano A. Martinez" writes: >Has anyone heard of this virus, I ran a virus detection utility on my PC >and it told me I had Jerus X. I was just wondering if anyone knows what to >do about this virus, and some noticeable side effects. I'll venture to guess that you have a Jerusalem varient and you happen to be looking at an EXE file (Jerusalems infect EXEs and COMs differently). There are a number of Jerusalem varients in the wild so I can't tell you what you might have. You'll need to tell us which scanner you're using and exactly what it says. (Better yet, have 3 scanners and tell us what they all say.) Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 00:02:20 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: "loading bootstrap" message (PC) X-Digest: Volume 9 : Issue 49 "J. L. Packer" writes: >I recently dealt with (and hopefully eliminated!) what McAffee Identified >as anti-cmos, as well as a stealth virus. When I first began experiencing >symtoms of these viruses on my pc, I noticed a message at bootup (which I >do not recall having seen previously) reading "loading bootstrap". After >eliminating the virus infections (I reformated my hard drive and restored >from backup.... just to be on the safe side), my pc no longer displays >the mystery message. Question: does anyone know what the "loading >bootstrap" business was all about? It was a message placed by Scan, versions prior to 2.2.7, into the bootup process after it has cleaned off some boot sector viruses. Because of confusion such as you had, this message was removed. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 00:04:11 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: McAfee Scan 2.3.0. Genuine? (PC) X-Digest: Volume 9 : Issue 49 sg7248613@omega.ntu.ac.sg writes: >I recently encountered an evaluation copy of McAfee Antivirus Scan ver >2.3.0, which was released on 17 Jan 96. > >This is however, not available for download at McAfee's WWW site. >I wonder if this is a valid and genuine antivirus software, or is this >a dangerous copy of a virus? It is a legitimate copy of a beta. A later version has since been released and is version 2.2.11. Our next scheduled release in May will bear the number 2.3.0 (unless marketing changes their mind again). Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 00:10:05 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: WelcomB Virus (PC) X-Digest: Volume 9 : Issue 49 Stephen Weller writes: >Yes, as a matter of fact it has been dormant in my machine for some time >now. Tried to kill it with McAfee's program, but had the same luck as you. >All my floppy disks seem to be infected as well. Where can I get this NAV >Antivirus program? I would really like to know. You need to update your McAfee version. And if /CLEAN doesn't work, use /CLEAN /FORCE. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 00:18:15 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: ANTI-CMOS virus (PC) X-Digest: Volume 9 : Issue 49 "Missie . . ." writes: [snip] >I then reinstalled win95, and all has worked fine ever since, and McAfee's >virus scan no longer reports the C-MOS virus. > >Is it possible it was a false-positive finding,and that a simple re- >install of the win95 fixed everything ?? Was it something the win95 >STARTUP disk did to alter boot record that could have caused the false >positive?? I'm terrified now to ever use a win95 start-up disk... I presume you installed off a network or CD-ROM? Yes, installation of Win95 will wipe out some boot sector viruses. Instead, it will be saved into a file named SUHDLOG.DAT (hidden) on your harddisk, in your root. >Any thoughts on any of this would be appreciated...thankx !! Delete SUHDLOG.DAT now or don't uninstall Win95 with this SUHDLOG.DAT. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 00:23:38 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: AntiCMOS virus (PC) X-Digest: Volume 9 : Issue 49 "crash n' burn..." writes: >Hi, i need help with my PC. I am currently using WIN95 and occasionally I >get a general protection fault failure and whatever that was running had >to be shut down. I used McAfee's Scan95 and it did not detect the >presence of any virus. A friend of mine used my PC and when he >transferred some files over to his PC (by diskette), he detected the >antiCMOS virus. He used another PC and it confirmed the presence of this >virus. > >Does anyone have any solution to this problem? Also, how come my Scan95 >did not detect the (abovementioned) virus? If your machine is infected, it won't be detected unless you're scanning memory. Boot clean and clean your machine with the DOS component that comes with your Scan95. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 09 Apr 1996 19:33:20 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Could this be a virus? (PC) X-Digest: Volume 9 : Issue 49 Gail Rider Craig writes: >First of all, I work with a network of all Macintosh computers, so I have >very little knowledge about the Dos system and have been very fortunate in >not running into any viruses. > >A friend asked me for help on this and I was hoping I could find some >answers for him here. He has a 386 running a custom database for his >work. There were 8 mgs left on the hard disk and his son tried to install >Borland Visual Turbo C++ which was supposed to be only 4 mgs. Half way >through the installation, he received a hard disk error message and quit >the installation. This says that the installation process was not completed. Furthermore, subsequent text show that the installation process was not given a chance to cleanup, and that no cleanup of the installation was attempted. >The next time the computer was booted up, it had changed the load >sequence, changed the color of the screen, asks for the date and time each >time you boot up and appears to have erased some of the custom database >files. The machine asks for date and time if no AUTOEXEC.BAT exists. Since complex installation processes usually change AUTOEXEC.BAT by moving it to a backup first, you probably died from the installation process right at the moment when the AUTOEXEC.BAT was renamed. Look for the latest AUTOEXEC.something and rename that to AUTOEXEC.BAT. The boot process is indeed sometimes changed so the machine can do some intermediate bootups. The bootup process is changed to boot from C:. Presumably, the installation would have restored the original bootup process if allowed to complete. >Is this a virus and, if it is, what program can he purchase to clean it up? I doubt it's a virus. >Any help would be appreciated. >If you could respond directly to my e-mail address it would help me >facilitate this for him since I can't always access the newsgroups. >dvrnet@epix.net OK. *sigh* Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 00:54:23 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Help: The IHC-virus does its work! (PC) X-Digest: Volume 9 : Issue 49 Jens Arnold writes: >Dr Solomon's detected the IHC-Virus on our PC, but cannot >remove it... McAfee and F-PROT do not detect any virus (?). >The virus corrupts the FAT and changes some other parts >of the filesystem, so that we have to use "scandisk" every >time after booting the system to keep the filesystem "alife". >Has anybody some information about this virus (called IHC by >Dr Solomons) and how can we remove it? > >Notice: The DOS "format"-command cannot wipe this virus! You need to update your scanners. And all of them should be standardized on QUANDARY as the name of this virus which is in-the-wild primarily in Germany. As for your corrupted situation, I would recommend that you do some sort of backup and format your disk and put everything back. Probably the peculiarities of your setup caused a corruption which is not common across other configurations. (BTW, people say you never have to format your machine to fix a virus problem. Yes, this is true. My recommendation is that you *backup* then format... I find that too few people ever backup. If some event forces you to back up everything every once in a while, without that event being catastrophic, it's goodness. After you backup your whole machine, you will actually feel better for it. *Believe me* :-) ) McAfee called this virus Parity.Boot.Enc until CARO agreed on a name for it. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 01:00:30 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Multiple boot sector infections (PC) X-Digest: Volume 9 : Issue 49 Antonio Godinho writes: >I have had several problems of multiple boot sector infections on my >computers and have never managed to clean them. Does anyone know if >and how it can be done? From what I gathered the infections where of >the UNASHAMED and ANTIEXE.a viruses. I tried using Dr. Solomon's >toolkit 7.56, F-prot 222 and Thunderbyte 6.38 but all these failed. >Since I did not have access to the Hard disks in any of the cases, I >had to fdisk and reformat the hard disks. > >If anyone has any ideas, I would really like to hear them. We added the /FORCE switch to address these cases. You can try Scan C: /CLEAN /FORCE. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 02:25:35 +0000 (GMT) From: Raul Quintanilla Subject: Re: Trabajo_hacer.b Virus (PC) X-Digest: Volume 9 : Issue 49 Richard Buchanan wrote: >Our network is showing occassional infections of >"trabajo_hacer.b (MBSR virus) which is the name given by >Norman Data Defense Systems v.3.50 (espejo by F-PROT). > >I have heard some "rumors" that the virus must be removed by >April or it will cause some HD damage. >Have you heard anything; when/where created and if there is >anything to the "rumor" concerning April? Espejo's name is 15_Years according to F-Prot Professional. What we have found is that it activates between the 5th and the 7th starting january and from there on, every three months. We get some hard drives with 15_Years virus activated more or less every 3 months (Jan, April, etc) just after the 7th. As a fact we are expecting half a dozen HDrives "espejeados" this week. fdisk /mbr before it activates is the answer and if you have Windows95 use fdisk provided. Cheers! Raul ------------------------------ Date: Wed, 10 Apr 1996 03:36:47 +0000 (GMT) From: Savio Wong Subject: Burglar 1150 virus on a Novel Network -- HELP!!! (PC) X-Digest: Volume 9 : Issue 49 Help! I am the computer system manager for two Novell Networks at my school. Network #1 used Netware 3.11 with about 70 workstations and Network #2 is a 3.12 with 60 stations. The two network are backboned with a switch. The configurations for both are EtherNet (both 10B2 and 10BT) and Baseband. Most of the machine have 8M of RAM but no harddrive. On top of Novell, we run an interface by IBM called Iclas (v 1.5), Windows Enabler (which is a shared version of Windows 3.1) and LanSpool for the printers. We also run virstop (from F-Prot) on each workstation at bootup. Anyway, about 1 week ago, Windows Enabler (Windows 3.1) quit working and I did a scan using the Jan. version of F-Prot. It found two viruses (Tai-Pan and Little Brother). Both of which were cleaned. However, Windows Enabler still would not run and some of the files in the system are huge (over 4 Gig) when listed with Dir. I got a copy of Mar. 96 of F-Prot from the School Board computer technician and found another virus -- Burglar 1150. After many hours of work to boot a clean workstation, I was managed to clean both fileservers the past weekend. Today being the first day back from the Easter holiday, both networks ran smoothly until about 2:00 p.m. Within 20 minutes, both fileservers were infected with Burglar 1150 again! Yikes. So, I was in school until 10:00 pm to clean both fileservers again. In order for me to do this, I have to play around with the net$dos.dat file which is the contains a list of boot up commands. Since both login.exe and logout.exe plus a bunch of exe files were infected, it took me a long time to get a clean workstation. I ran F-Prot (F-Prot) and it took another couple of hours to clean the files. I ran F-Prot (March 96) again just to be sure and it did not find anything. It did state that a number of files in one of the older dirs (DOS5.1) are inoculated by Central Point Anti-virus which we used a few years back. Are they really protected from the new and improved virus. Also, several EXE files could not be accessed. Wish me luck tomorrow and any comments and suggustions are much appreciated. Regards, Savio Wong WODSS Waterloo, Ontario CANADA p.s. I did find out some information from Netscape about this virus. Originated from Taiwan in Jan. 96. A message 'Burglar/ H' flashed on the top left corner whenever the time contains '14'. It is a stealth virus and will spread itself whenver the DIR or ATTRIB are used (plus another other DOS commands that affect the boot sector). I did not find anything about those huge files listing in DIR though. ------------------------------ Date: Wed, 10 Apr 1996 04:06:07 +0000 (GMT) From: Anti-Virus Subject: Re: MS Macro Virus Tool (PC) X-Digest: Volume 9 : Issue 49 >>irritable differences (one is that you cannot open multiple files at >>once), but the alternative seems worse. We started scanning (using >>McAfee) the document files but found that some people had so many >>documents on their hard drives that it took foreverrrrrrrrrrrrrrrrrr to >>scan. There is no noticeable file open or close delay in Word (6.0), so >>we went with that. I don't know from your message what operating system you're using, but what you're experiencing may not be related to the AV scanner at all. It's possible that by doing some performance tuning on the PC you can experience significant improvements in how long it takes to scan the hard drive. For instance, if you're running MS-DOS 6.22, and you have a C: and D: drive as an example, try adding this statement to your AUTOEXEC.BAT file and see if it doesn't speed things up (if you don't already have a SMARTDRV statement in it): LH C:\DOS\SMARTDRV.EXE C D There are several other things you can do to performance tune your PC as well. ------------------------------ Date: Tue, 09 Apr 1996 21:33:47 +0900 From: asjcw3@uaa.alaska.edu Subject: What AV software should I get? (PC) X-Digest: Volume 9 : Issue 49 Hello, I'll get right to the point. Our 540-meg HD has crashed several times in the last few months. Norton Disk Doctor tells us that the FAT has a glitch, and, though it knows what files are on the disk, it doesn't know where on the drive the files are stored. Generally between 85-100% of our HD is unusable until the HD is reformatted. Then we have no problems until the HD crashes again. (BTW, the first crash occurred on the day the warranty ran out, marking the computer's first birthday.) We have loaded NDD into the autoexec.bat file, but this has had only limited success. The HD has crashed since then, but we have gone for about three weeks without a crash now. My question is this: A friend knowledgeable in these matters said these ymptoms sound like a virus, but MSAV & MWAV have found none. Our first PC died of a virus under similar circumstances, but MSAV detects and cleans the virus from our old PC disks as soon as we put them in. (This virus was the Form virus.) So, I'm inclined to think that our problems come from a virus, but not our old Form virus. What AV program should I get to clean this virus off? Where can I get this program? And can someone please explain how a virus can stay on a computer after multiple HD reformats? Thanking you in advance, Joshua Walton ------------------------------ Date: Wed, 10 Apr 1996 12:39:25 +0200 From: Kostja.Reim@sct.DE Subject: SVC Virus (PC) X-Digest: Volume 9 : Issue 49 Is there anybody who knows an application to kill the SVC virus version 6.0 in the MBR ? - -------------------------------------- SCHMUDE Computertechnik Potsdam Kostja Reim ------------------------------ Date: Wed, 10 Apr 1996 10:55:36 +0000 (GMT) From: Aquiles Luna-Rodriguez Subject: Re: !DELWINBOOT.sys (PC) X-Digest: Volume 9 : Issue 49 Billy (e9325010@stud1.tuwien.ac.at) wrote: : does anybody know something about the "delwinboot.sys" - virus? I got the delwin.boot virus about three months ago. My turbo-C++ 3.0 hanged up, so after a week or so I downloaded a copy of McAfee anti-virus. Though it detected it and erased copies on programs, the boot-virus in the Master Boot Record wasn't touched. I waited for release 2.2.7 of McAfee, only to discover it wouldn't work either. In the end, I just had to wipe the hard drive and reinstall everything from a back-up, so I'm not paying a penny for the anti-virus. The friend from whom I got infected in the first place still has it, and on her machine McAfee's program gives false error messages, like saying that your write-protected floppys are also infected, including ones formatted in a virus-free machine and carrying the anti-virus software itself! ********************************************************************* * Aquiles Luna-Rodriguez //I've found it! here's the bg! * * Universitaet Hamburg, Germany //nobody expects... * * pz4a004@rrz.uni-hamburg.de //..the Spanish Inquisition! * ********************************************************************* ------------------------------ Date: Wed, 10 Apr 1996 14:58:35 +0200 (MET DST) From: "MICHAL ml." Subject: Re: One Half virus - help! (PC) X-Digest: Volume 9 : Issue 49 > One Half virus attacked my computer today. It wiped out everything in my > logic drives D and E, while left all my softwares on drive C intact. I > got the virus removed from Drsolom's findviru. But, my hard drive is > still a mess. I can't see my D drive at all, while E drive is accessible > but everything is lost. I am not a computer specialist. Can anyone tell > me how can I recover the lost data from these logic drives? I need them > so bad for my graduation in May, yet I don't have a backup for most of > them (about 150 MB data)! The trouble with OneHalf is that virus encrypts HD . If you wipe virus , your data'll be lost .My PC was infected with this virus about 1 year ago , and i saved all my data by using revomer which also decrypts encrypted HD . This remover can overyone find on ftp site : ftp.elf.stuba.sk /pub/pc/sac/onehalf.zip Another usefull file is ice19b.zip in the same directory . ___________________________________________________________________________ Peter Kovac , Faculty of Medicine , Comenius University , Bratislava E-mail : kovac@crick.fmed.uniba.sk ------------------------------ Date: Wed, 10 Apr 1996 10:42:09 From: ruben@ralp.satlink.net Subject: Re: Help with Diablo virus (PC) X-Digest: Volume 9 : Issue 49 Sat, 06 Apr 1996 00:59:55 +0000 (GMT) "Amador Ahumada Z." wrote: AAZ>HOLA HELP MI WITH DIABLO : AAZ>I need string for research. AAZ>Disculpen mi ingles soy de Chile, necesito ese virus, si se puede AAZ>una imagen de disco. Well I'will act as the official "Spanish/Portuguese" translator for the forum (sounds OK, uhh Nick ???) :-) This person is requesting an image of Diablo virus. But wait, don't blame him. He is a very reputable investigator of CHILE also a professor of an institute since years.I reply him in private explaining this is no an interchange zone and also posting the analisys made by me some months ago. Diablo was an epidemy here in Argentina. DESCRIPTION OF VIRUS IS IN SPANISH AND ENGLISH. (and all the people happy!) :-) - ---------------------------------------------------------------------------- DESCRIPCION DETALLADA DEL VIRUS DIABLO. ----------------- | Virus Diablo | ----------------- Analisis preliminar del Virus Diablo por Ruben M. Arias. RALP Seguridad Informatica. Nombre : Diablo (variacion local del virus Music Bug ???) Tamano : ??? bytes. Infecta : MBR de Hard disks y Bootsector de Diskettes. Scan string : C0 8E D8 A1 4C 00 2E A3 22 7D A1 4E 00 2E A3 24. (Leer Informacion) Interrupc. : ----- Direcc carga: ----- Polymorfico : No. Residente : Si. Tam. en RAM : 2048 bytes. Stealth : No. Texto : Puede leerse la palabra "Diablo". Tipo : Infecta Cylindro 0, Lado 0, Sector 1 de diskettes y MBR de Hard disk. Usa algunas tecnicas menores de stealth que involucran dar mensajes falsos de DOS durante su carga. Una vez que el virus infecta el HD (Hard Disk) procede a infectar cualquier diskette ubicado en las disketteras (A/B). El registro de Bootsector original es ubicado en el Cylindro 0, Lado 1, Sector 14. NO es recomendada la restauracion manual de este registro. ## La remocion de este virus en diskettes es facil: 1) Bootee su PC desde un disquette booteable protegido contra escritura. 2) Inserte el disquette infectado en la diskettera y copie sus datos en algun directorio de C:\. 3) Formatee el diskette y vuelva a copiar sus datos o programas al mismo. La remocion del Hard Disk debe efectuarse de la siguiente manera: 1) Repita el paso 1 anteriormente citado, pero asegurese de que el diskette contenga el archivo FDISK de la version de DOS que Ud. este usando. 2) Luego del paso 1), pruebe de acceder al Hard Disk. (DE NO PODER ACCEDER DETENGA EL PROCEDIMIENTO Y BUSQUE AYUDA PROFESIONAL ESPECIALIZADA) 3) Solo si pudo acceder al Hard Disk, realice ... FDISK /MBR Efectos : Destruye Hard Disks luego de bootear algunas veces una maquina infectada con el virus. Inusual : No fue analizado todavia. Otra Informacion : Este virus fue encontrado en distintos lugares y es considerado actualmente como una epidemia. Bajo ningun concepto encienda su PC con diskettes en las disketteras o introduzca diskettes antes de la finalizacion o durante la secuencia de arranque. Anti Virus que lo detectan: - Integry Master 2.42 d detecta este virus como Music_Bug. - Si posee F-Prot introduzca la secuencia ASCII citada mas arriba para su deteccion. ============================================================================== DESCRIPTION OF VIRUS DIABLO (DEVIL). ----------------- | Diablo Virus | ----------------- Preliminary analysis of Diablo virus by Ruben M. Arias (RALP Computer Security) Name : Diablo (Music Bug variation ???) Size : ??? bytes. Infects : MBR of Hard disks and Bootsector of Diskettes. Scan string : C0 8E D8 A1 4C 00 2E A3 22 7D A1 4E 00 2E A3 24. In the wild : Yes. (In Argentina) Interrupts : ----- Load Address: ----- Polymorphic : No. Resident : Yes. Size in RAM : 2048 bytes. Stealth : No. Text : The word "Diablo" could be read. Type : Infects Cylinder 0, Side 0, Sector 1 of diskettes and MBR of Hard disks. Use some minor stealth technics that involves giving false DOS messages during its load. Once the virus infect the HD proceed to infect any diskette placed in the drives (A/B). Original Bootsector register was placed in Cylinder 0, Side 1, Sector 14. It is NOT recommended the manual restauration of this register. The virus remotion of the diskettes is easy. Just Boot clean from a Write-protected diskette, then copy the data placed in the diskette to a subdirectory placed in the HD. Format the diskette and restore the data from HD to the diskette. Remotion of Hard Disk is simple too. As equal to diskettes, just Boot clean and perform a FDISK /MBR (ONLY IF YOU COULD ACCESS TO HARD DISK!). Payload : Destroy Hard Disks after boot some times an infected machine. Unusual : Not analyzed yet. Other info : This virus was found in some places, Universities, Enterprises, etc. Integry Master 2.42 d detects this virus as Music_Bug. Virus was submitted to W. Stiller 08/07/1995. ============================================================================== - --------------------------------- end of description ---------------------- Regards all Ruben Arias - ------------------------------------------------------------------------------ Ruben M. Arias _ _ _ | ) |_| | |_) | \ | | |_ | E-Mail: Ruben@RALP.Satlink.net Buenos Aires - ARGENTINA RALP - Computer Security - Virus - ------------------------------------------------------------------------------ [Moderator's note: I screwed up. My -very- rudimentary understanding of Spanish suggested the message was OK. Not having easy, timely access to a group of free translators, I will revert to my earlier approach of not approving any non-English submissions.] ------------------------------ Date: Wed, 10 Apr 1996 15:38:17 +0000 (GMT) From: "Kathleen.Smith@mhafc.production.compuserve.com, CNA" <103505.520@compuserve.com> Subject: Re: Readiosys - is it real? (PC) X-Digest: Volume 9 : Issue 49 I am running Intel's Virus Protect 3.0 D. Readiosys, I believe, is Intel's synonym for AntiCMOS. You can verify this by looking up Readiosys in Virus Protect's Virus dictionary. My company recently inherited quite a few computers infected with this virus. It seems to be fairly harmless. Of the 50 computers infected, only two exhibited blatant symptoms. According to a posting to alt.comp.virus by Henri Delger, "The virus has code to tamper with CMOS data, with a one in 256 chance, at floppy diskette accesses". - - The opinions expressed herein are not necessarily those of my employer. ------------------------------ Date: Wed, 10 Apr 1996 15:07:59 +0000 (GMT) From: Renato Oppio Subject: Analyze.exe--Trojan Warning!! (PC) X-Digest: Volume 9 : Issue 49 I have downloaded from a packet radio BBS a file named ANALYZE.EXE. It's selfextracting and the .doc says it's an utility to check hard disk. After running it I have found that all files in my hard disk became directories !!! Before I have to format my HD has anyone a solution to the problem ?? Thank you Renato I3EJ ------------------------------ Date: Wed, 10 Apr 1996 16:07:02 +0000 (GMT) From: Freak Power Subject: Telecom PT1 (PC) X-Digest: Volume 9 : Issue 49 It seems I've picked up something called Telecom PT1. I scanned using MWAV, and it picked this one up in C:\. However, I tried ThunderBYTE and The Doctor, and neither one found it. When I tried to clean it with MWAV, my system shuts down and messes up the screen. I don't know if it's related, but my modem communications have slowed considerably and my printer won't print Postscript anymore. Thanks in advance for any info you might throw my way. Jason ------------------------------ Date: Wed, 10 Apr 1996 10:21:01 -0700 From: "J.E.M." Subject: Re: Anti exe virus (PC) X-Digest: Volume 9 : Issue 49 >We had AntiExe here at the library where I work. It is an almost >completely beingn virus. All it really does is exist. It has no >stealth capability nor can it execute anything. You get it when you >try to boot up your machine, but have left an infected disk in the A: >drive. The machine's hard drive picks up the virus when it trys to >boot of the disk. From then on it infects any disk you use in the A: >drive. Programs like F-Prot will easily clear this virus, but, as you >know, you have to boot with clean (non-infected) disks in order to >clear. Hope this helps. Bob Davis I have seen (and disinfected) the antiexe virus on a number of machines and it is not always benign. One common problem experienced is that new programs won't install properly from diskettes with false "out of memory" and/or "disk full" messages (or something similar) given off. Jefrino 103213.103@compuserve.com ------------------------------ Date: Tue, 09 Apr 1996 10:02:26 -0700 From: "Glenn P. Siegrist" Subject: Where to get a virus check up grade? (PC) X-Digest: Volume 9 : Issue 49 I have a Packard Bell Legend 36CD its a 486/50. It came with Win 3.11 on it I have had it for over a year now and I would like to know is there an upgrade to the Microsoft virus scan program that came with it. Glenn Siegrist ------------------------------ Date: Wed, 10 Apr 1996 19:37:48 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: An Aftereffect of Natas (PC) X-Digest: Volume 9 : Issue 49 Tarkan Yetiser writes: >Well, it's a feature :-) DOS counts up to year 2099, not the maximum >possible of 2107. For example, if you try to set the system date to >4-7-2100, you will get an invalid date message. Reason is, 2100 is not a leap year and none of the software written today is likely to account for that (and probably DOS doesn't). Hell, we have enough trouble with 2000 coming up. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 10 Apr 1996 20:17:07 +0000 (GMT) From: Ken Stieers Subject: Re: Stoned that Went Away & AntiCMOS in SUHDLOG.DAT (PC) X-Digest: Volume 9 : Issue 49 The SUHDLOG.DAT file has a copy of the MBR that was on the machine before you installed Win95. Since it finds the virus in this file, you were infected before you installed Win95. Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prairie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Wed, 10 Apr 1996 20:19:34 +0000 (GMT) From: Ken Stieers Subject: Re: "loading bootstrap" message (PC) X-Digest: Volume 9 : Issue 49 Possibly, but more likely he cleaned a virus from the machine using McAfee 2.2.3 through 2.2.7 or so. These versions would overwrite the MBR with a generic one when cleaning some viruses. This MBR had this message in it. Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prairie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Wed, 10 Apr 1996 15:07:06 -0400 From: SUZANNE FORTIN Subject: Re: Urkel virus (PC) X-Digest: Volume 9 : Issue 49 On Wed, 10 Apr 1996, Elton Tucker wrote: > I just had a poke through my viral datalist (Norton 95) and according to that > you should be OK. Urkel apparently doesn't do any damage but does fire off > that message every hour, on the hour which will get *really* annoying if > you're in the middle of a paper (been there, done that). Nice to know. Nothing drastic has occurred, but every so often when I try to save something in my C drive, I get a message saying it's full, when my file manager says it's not. > Once you get a chance, fire me a reply back and I'll gladly walk you through > removing it and getting some protection in place. I've tried to download "F-Prot" twice now, but I still get a message saying that there is a problem with the Pkzipfix. I will try with a Z-modem. I have a 2400 modem (it came with the computer, and I can't afford a faster one) and so it takes a *long* time (like an hour) to download. So if you have something simpler in mind, I would appreciate it. Suzanne Fortin ------------------------------ Date: Thu, 11 Apr 1996 08:59:14 +1200 From: "stephen.betts" Subject: Re: Winword/Scanprot/FProt questions (PC) X-Digest: Volume 9 : Issue 49 >What is BAD is, F-Prot still finds the string in the .DOC files and still > >reports them as infected with the CONCEPT virus. > > Whatever Microsoft did, they did NOT remove the strings from the macros. > FProt is obviously still finding the viral strings. We had a similar outbreak here with documents being mailed between secretaries only compounding the problem. What I discovered was that there were a few errors in the Scanprot.dot macro issued by Microsoft and made the adjustments to the one we distributed in our organisation. 1: The macro failed to update the Registry of the computer if it was run from a write protected disk or a read only network drive. This meant that double clicking on a document re-loaded the macrovirus onto the computer, although when Word Exited it usually found the macro and removed it. This was fixed by adding C:\ to the location where the Reg update file was created. 2: I am not sure what the search string for the Macro Virus is but is not just AAAZFS or payload as during my testing I tried to fake the virus. The problem actually resides with the Word Tools, Options. Allow Fast Saves on the Save Tab. What this does is save the old document appended to the new document. and hence the doc Still contains the Virus search sting. Changing this option however does not solve all problems either as bugs in some releases of OLE2 code often appended data from memory to the OLE data. I noticed this (Fast Save) because documents I was righting quite often jumped from 50K to 100K when I only edited one word. Try it your self by saving a blank document then open if and save it again it will start at 8-11K depending on the version of Word 6/7 you are running, and jump to 16K+ . I call this the Microsoft Word Virus. Note: Word 7 includes a picture of the document for easy browsing and hence another 4k or more is appended to the file And you wonder why your file servers are using 10's of MB per Week [Moderator's note: I think the effect Stephen alludes to at the end of the first para in point 2., is because OLE "blocks" are fixed sizes, and hence final and other partial ones are "padded", usually with what happens to have been left in memory or a buffer at that point in time.] ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 49] *****************************************