VIRUS-L Digest Thursday, 18 Apr 1996 Volume 9 : Issue 53 Today's Topics: Re: QUESTION: Email Viruses Re: Macro viruses Form virus ate my NT boot sector! (NT) Re: Form virus ate my NT boot sector! (NT) Re: MacroWord helper apps... (MAC,WIN) hacking DELWIN.BOOT and DELWIN.17** (PC) Re: ripper-virus, who can help (PC) "Twitch" and "Flybynite" viruses (PC) A possible virus! (PC) Re: Good scanner with smallest TSR memory footprint (PC) Re: Multiple boot sector infections (PC) Re: ripper-virus, who can help (PC) Re: AntiCMOS virus (PC) Stoned.Spirit Virus: How do i remove it? (PC) 850MB HD now 333MB--virus? (PC) Re: anticmos?? Help (PC) Re: Good scanner with smallest TSR memory footprint (PC) Program to backup mbr and boot sector (PC) Re: Over 1644 Virus (PC) Re: virus in macromedia plug-in (PC) Bang virus? (PC) Multiple ParityBootA (PC) Re: virus or hardware problem? (PC) Monkey virus (PC) what is FORM virus???? (PC) Stoned side effects? (PC) Ebola virus!!! (PC) Re: Help Possible Virus Re: What AV software should I get? (PC) Re: Need Help Removing Stealth_C Virus (PC) Re: Over 1644 Virus (PC) Re: Urkel virus (PC) Re: Trabajo_hacer.b Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 15 Apr 1996 13:41:26 From: Gerard Mannig Subject: Re: QUESTION: Email Viruses X-Digest: Volume 9 : Issue 53 In article <0002.01I37W48WZM4SH3CBI@csc.canterbury.ac.nz> "Chengi J. Kuo" writes: >Greg Rice writes: > >>I'm wondering, why isn't an email virus possible? I read that no one >>really needs to worry about loading an email message from a service >>like AOL or Compuserve and recieving a virus on their home PC. >>Wouldn't it be possible to write code that is an attached .EXE file and >>is called into downloading itself by the 'read mail' action of the >>service provider? >> >>I realize that if there was such a code, it would be service provider >>specific, but it seems plausible. >It's a matter of semantics. An email virus is not possible. That's >basically because there are just too many standards and packages >handling email. [../..] >garbage in the middle of my message. Is it a virus?" And all those >PGP blocks, UUENCODE blocks, base64. To the average person, he's >likely to misinterpret them if he sees the raw data. ...and NETSENDed files !! Don't forget NETSEND allwo any user to send via reader-off-line ( whatever it is ) any binary file in such way the recipient needs *NO* utility/program to reverse-engeneer process Jim TUCKER wrote this program by June 95 and, evidently, didn't figure out what 'dark' use his program could be victim of Anyway, I sucessfully use it for months and my users are very fond of it given its 'poor' requirements Regards, - ---------------------------------------------------------------- Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm Member of R . E . C . I . F data +33 1 3415-4959 Voice machine +33 1 3072-9443 =-=-=- I do NOT speak for RECIF unless otherwise specified -=-=- ------------------------------ Date: Tue, 16 Apr 1996 03:29:24 +0000 (GMT) From: F/WIN Anti-Virus Support/Ordering Subject: Re: Macro viruses X-Digest: Volume 9 : Issue 53 >The WinWord concept virus is very easy to get rid of. Searching for a >program that will do it for you is a hassle. All you have to do is open a >document that is believed to contain the concept virus. Go to tools and >macro, and remove any macros under the names AAAZAO, AAAZFS, AutoOpen, >PayLoad, and FileSaveAs. When this is done, click the "Organizer" button, >and make sure that none of these macros are there. If they are, there This is OK if only a few files are infected. But if there are hundreds, finding and using an AV product to do the job for you is a much easier way to go. Gary Martin Computer Virus Solutions E-mail: fwin_sup@ix.netcom.com WWW: http://www.entrepreneurs.net/fwin Authorized Distributor of F/WIN Anti-Virus ------------------------------ Date: Mon, 15 Apr 1996 14:51:43 +0000 (GMT) From: Brent Olson Subject: Form virus ate my NT boot sector! (NT) X-Digest: Volume 9 : Issue 53 I installed a new piece of hardware and needed to load drivers from a floppy that had "been around the offic" and inadvertantly left the floppy in the NT3.51 Server during the reboot...I got the lovely "non- system disk" error, took the floppy out and rebooted. NT does not boot. It goes through the usual memory check etc, but just when the boot screen is supposed to come up, it just sits there. Scanning the floppy indicated it is infected with Form A virus, which is a master-boot-record inflicting vermon. The machine is set up with only 1 2 gig disk (SCSI) with no DOS lying about anywhere. If this were a DOS/Win95 box, I'd just boot with a clean boot floppy, do a fdisk /mbr on drive C:, and I'd be done. Drive C: is NTFS. I thought that NT was impervious to these types of DOS viruses? Any help is most appreciated. Brent night@halcyon.com ------------------------------ Date: Mon, 15 Apr 96 11:38:25 From: Tarkan Yetiser Subject: Re: Form virus ate my NT boot sector! (NT) X-Digest: Volume 9 : Issue 53 In article <4ktnea$1l6@news1.halcyon.com>, you say... >Scanning the floppy indicated it is infected with Form A virus, which >is a master-boot-record inflicting vermon. The machine is set up with >only 1 2 gig disk (SCSI) with no DOS lying about anywhere. > >If this were a DOS/Win95 box, I'd just boot with a clean boot floppy, >do a fdisk /mbr on drive C:, and I'd be done. Drive C: is NTFS. > >I thought that NT was impervious to these types of DOS viruses? Most of your info is incorrect Brent. First, Form-A doesn't infect the MBR, but rather the boot sector of the active partition. Second, FDISK /MBR updates the code in the MBR, not the boot sector; so it wouldn't remove this virus even under DOS. Third, NT is not anywhere being in control when this virus is loaded off the diskette. NT loader gets control after the MBR loader and after the boot sector loader. And Form-A is now the boot sector loader. You need to find your original boot sector and write it back where it belongs. The last sector of the partition will have your original boot sector. So, find a clean bootable diskette (DOS is fine), and get a copy of Norton DiskEdit or VITALFIX, read the last sector and look at it. As a minimum, you should see a 55AA as the last two bytes. Now, save that to a diskette. You just got your original boot sector. Now, read the boot sector (logical sector 0, or usually head 1, trk 0, sec1, which can be ascertained by checking the partition table in the MBR), and save that as the virus boot sector on the diskette. This is for examination. Now, write the good boot sector to the logical sector 0 where the virus was. Remove the disks, cross your fingers and reboot. If nothing unusual happened, you will have your stuff back. Now check and see if the last two sectors of the partition were being used. Usually, they aren't, so you should be fine. The only complication is NTFS. Form-A is probably confusing things. Good luck. If you survive this, get into the system settings in CMOS and change the boot sequence to C: and then A:. Of course, scan your diskettes just to be sure. Regards, Tarkan Yetiser VDS Advanced Research Group http://home.prolog.net/~tyetiser ------------------------------ Date: Mon, 15 Apr 1996 20:25:05 +0000 (GMT) From: "Derek V. Giroulle" Subject: Re: MacroWord helper apps... (MAC,WIN) X-Digest: Volume 9 : Issue 53 Ben Danielson wrote: >I have noticed that there are a ton of WordMacro fixit programs out there. >I have used Microsoft's, Mcafee's, and even edited the normal.dot to >disable all automacros, to name a few . I have noticed something that has >not been discussed here recently. If you use a program that disables the >automacros, you cannot use the wizards that are a part of the Word >program. Give me any useful use for wizzard that cannot be done with a decent program > This may not matter to most users, but I happen to work at a >university where people need Word's wizards for training purposes. Try changing universities... if you use WORD (which is a WORDPROCESSOR) as a CBT programming and execution tool (what it was not designed for) then that your universities problem isn't it? Why can't you people check the market BEFORE you start a project and check what is the most APPROPRIATE tool ? If you want to drill a whol in a concrete wall what do you use - screwdriver - saw - hammer - sledgehammer - a fish - a loaf of bread - an electric drill If you have any doubt please cunsult your local DIY-shop... >I know >that this discussion is for virus related issues, but I would like to just >remind AV developers that making a program virus proof and disabling an >important part of the program is not a viable solution. > > Another tidbit, if you delete an infected normal.dot, Word will >create a new one that is clean. This will not help if you have infected >.doc or .dot files, but if your scanner tells you the normal.dot is >infected and nothing else, just delete the thing and any new documents you >make will be clean. Obviously this is not the best method of protection, >but it does the trick if you need a simple solution. But if it infected your wizzards etc it's no use is it??? >Ben Danielson >Information Technology >Arizona State University West Look I've been working for research centers all over the place and the scientists all have that same desease : They think that with the one tool they know they can doo everything : eg like the lotus wizzards they use 123 as their : spreadsheet, statprogram (and complain about the lack of functionality), graphics program (and complain), database (and complain about lack of data retrieval functions), wordprocessor (and complain) and last but not least they complain it doesn't make them coffee, doesn't keep their diaries, does sit on their lap and they can't squeeze its butt ... repeat teh picture for the wordperfect and word wizz's derek V. Giroulle Dirk.Giroulle@ping.be http://www.ping.be/~ping0010 Life is like a peepshow, through a little window you never get to see what you went in for (based on fvu's definition of panning) ------------------------------ Date: Mon, 15 Apr 1996 14:57:38 +0000 (GMT) From: Aquiles Luna-Rodriguez Subject: hacking DELWIN.BOOT and DELWIN.17** (PC) X-Digest: Volume 9 : Issue 53 I got infected with the DELWIN.BOOT and DELWIN.17** (can't remember the last two digits). McAfee 2.2.7 would get rid of the version that infects .exe programs, but no the one in the Master Boot Record. To get rid of it, I had to wipe the hard-disk clean and use FDISK to recreate a MBR, them recuperate from a back-up. After that, I made a copy of the MBR using st0.exe and rt0.exe, written as freeware by Dave Bushong and stored in Simtel. But surprise: in the copy of track 0 that st0.exe makes, I found a copy of the DELWIN.17**, which apparently doesn't works when stored in the MBR; at least it doesn't reaches thr RAM. Though I can't write assembler, out of desperation I began to hack the f***ing .17** version, and found out that: -It changes 7 bytes at the bginning of .exe files, apparently making a jump to the end of the original file, where the main part of the virus is stored. -After the virus code, another jump is done using a copy of the first lines of the original program. -DELWIN is polimorphic, only the first docen of instructions of the main chunk are always the same, except one. My hunch is that this piece of code is a kind of random-number generator, the variable byte being the seed. When running, the random numbers may be XORed with the rest of the code to restore the virus. -the .17** version stored in the MBR doesn't seem to be encrypted, you can read "DELWIN" on it; does somebody knows what it stays for? maybe DELete WINdows? -The virus does not tries to hide its size. I suppose that as long as the virus dosen't reaches the main memory, there's no trouble with it; but: instead of being a bug, this funny behavior of putting the false version in the MBR may be a trap, because it remains undetected there. McAfee won't clean my copy of the MBR, but I could do it by hand and put it back in the hard-disk. However, I know that toying with the MBR is not for amateurs, and I don't want to destroy my Linux partition after having so much troble with the DOS one. What do the experts recomend? ********************************************************************* * Aquiles Luna-Rodriguez //I've found it! here's the bg! * * Universitaet Hamburg, Germany //Nobody expects... * * pz4a004@rrz.uni-hamburg.de //..the Spanish Inquisition! * ********************************************************************* ------------------------------ Date: Mon, 15 Apr 1996 15:02:37 +0000 (GMT) From: news@chaos.kulnet.kuleuven.ac.be Subject: Re: ripper-virus, who can help (PC) X-Digest: Volume 9 : Issue 53 In article <0010.01I3JH3PLOGSSKU6UC@csc.canterbury.ac.nz>, volker Biedermann <100343.3164@compuserve.com> says: >I have a problem with the *ripper-virus*. I found the virus with >scan/vshield-program from McAfee. I got these programs from the >SCNI22CE.ZIP file, which i found in my local BBS. > >My main problem is, how to TERMINATE the ripper-virus? Which >software or treatment do you suggest? Can you help me? Boot from a CLEAN disk and use McAffee or something....... (McAffee is also in my homepage under /software) Stijn Buys aka Ingar, the Immortal Avatar ____________________________________________________________________ E-Mail & finger: ingar@tristan.arts.kuleuven.ac.be URL: http://tristan.arts.kuleuven.ac.be/~ingar ------------------------------ Date: Mon, 15 Apr 1996 15:52:07 +0000 (GMT) From: "Keith D. Anthony - NAIC/TATA - 513-257-6351" Subject: "Twitch" and "Flybynite" viruses (PC) X-Digest: Volume 9 : Issue 53 Need information about these two viruses. Can anyone help? ------------------------------ Date: Mon, 15 Apr 1996 15:58:35 +0000 (GMT) From: D3lyr1uM? Subject: A possible virus! (PC) X-Digest: Volume 9 : Issue 53 Often when playing games on my pc, I get the statement, system is dangerously low on resources. One day for no apparent reason the computer shut off totally. A black dos like screen came up and said Ok to shut off computer. Another problem is that my sound just dies some times. I don't know how the system could be low on resources when it's a P100 with 400 megs free, 16 megs of ram. I look at the system monitor and it always says 92% free? Any ideas would be appreciated to solve my delemmas. I have scanned with nav and nothing comes up. I also tried tba, mcaffee. Please help this is getting annoying - - D3lyr1uM? -I don't hang out with a bunch of joy popping bubble gummers, my friends can take their highs- ------------------------------ Date: Mon, 15 Apr 1996 18:48:37 -0700 From: Harald Horgen <73323.2516@compuserve.com> Subject: Re: Good scanner with smallest TSR memory footprint (PC) X-Digest: Volume 9 : Issue 53 Iolo Davidson wrote: > In article <0038.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz> > chastaib@stifel.com "Chastain, Brian" writes: > > > My main concern, however, is memory overhead. The NAVTSR occupies 30K > > of RAM. I took a look at F-PROT, and their TSR occupies over 40K of RAM. > > > > Since we're a token-ring network, and token-ring drivers are > > notoriously large, we can't afford to give up that much memory. > > > > My question (finally!) is, which scanning program is effective, yet has > > the smallest TSR footprint? > > That would be VirusGuard, from Dr. Solomon's Anti-Virus Toolkit. > It has ballooned a bit since the days when I programmed it, but > I believe it still fits in less than 10K. It is probably also > the most effective, but there are few independent tests of TSR > scanners to be found. I think Vi-Spy from RG Software can lay claim to being the best product in this area. About a year ago the Virus Bulletin did a comparison of most products on the market, and Vi-Spy was the only one that uses the same front-end and TSR scanner. The reason is that most programs have become memory hogs, and don't have room to maintain all the sig files. I think Vi-Spy is the only product that is written in Assembler, so it has a real advantage in that it's code is nice and efficient. Harald Horgen ------------------------------ Date: Mon, 15 Apr 1996 18:53:24 -0700 From: Harald Horgen <73323.2516@compuserve.com> Subject: Re: Multiple boot sector infections (PC) X-Digest: Volume 9 : Issue 53 Pavel Machek wrote: > Antonio Godinho (antonio@nambu.uem.mz) wrote: > : I have had several problems of multiple boot sector infections on my > : computers and have never managed to clean them. Does anyone know if > : and how it can be done? From what I gathered the infections where of > : the UNASHAMED and ANTIEXE.a viruses. I tried using Dr. Solomon's > : toolkit 7.56, F-prot 222 and Thunderbyte 6.38 but all these failed. > : Since I did not have access to the Hard disks in any of the cases, I > : had to fdisk and reformat the hard disks. You should buy and install NoMore Viruses from RG Software. It is designed specifically to prevent boot sector viruses. According to recent review in Virus Bulletin, it is 100% effective, and it never needs to be updated. A note of caution, though. It does not check for file infectors, nor does it identify a virus, so you should use it with a regular, commercial scanner. But if you want to have 100% protection against boot sector viruses, and never have to worry about upgrades, this is the product to buy. ------------------------------ Date: Mon, 15 Apr 1996 17:41:27 +0000 (GMT) From: Don Doane Subject: Re: ripper-virus, who can help (PC) X-Digest: Volume 9 : Issue 53 volker Biedermann <100343.3164@compuserve.com> wrote: >I have a problem with the *ripper-virus*. I found the virus with >scan/vshield-program from McAfee. I got these programs from the >SCNI22CE.ZIP file, which i found in my local BBS. > >My main problem is, how to TERMINATE the ripper-virus? Which >software or treatment do you suggest? Can you help me? I had the ripper virus on 3 (1.6 gig) hd's. Purchased McAfee Virus Scan and it worked on the C: drive only. After 15 hours, I was still getting a reading that Ripper was still there..disconnected all drives and ran syntax C:scan /clean/nomem on each drive separately using the one cable only. Finally cleaned it up. If you have only 1 drive, McAfee should do a fine job...Any questions, advise Don ------------------------------ Date: Tue, 16 Apr 1996 11:43:45 -0700 From: Todd Tanber Subject: Re: AntiCMOS virus (PC) X-Digest: Volume 9 : Issue 53 Glen Mann wrote: > crash n' burn... (juhari@teleview.com.sg) wrote: > > : Hi, i need help with my PC. I am currently using WIN95 and occasionally I > : get a general protection fault failure and whatever that was running had > : to be shut down. I used McAfee's Scan95 and it did not detect the > : presence of any virus. A friend of mine used my PC and when he > : transferred some files over to his PC (by diskette), he detected the > : antiCMOS virus. He used another PC and it confirmed the presence of this > : virus. > > I think fdisk /mbr will rewrite the boot record to rid this. Norton can > rebuild the boot sector too, though I'm not sure about Win95. > > : Does anyone have any solution to this problem? Also, how come my Scan95 > : did not detect the (abovementioned) virus? > > Scan95 should've found it, I thought. I recommend using a clean boot disk with the latest version of Mcafee on it. Boot and then scan your hdd with the command 'scan c: /clean' with c being your hdd. Often times when running a anti-virus checker on your computer it doesn't scan a specific section of memory where the virus tends to live. This may be why your anti-virus didnt see it. - - Todd Tanber todd@netval.com NetValue Sales Group (805)374-6042 ------------------------------ Date: Mon, 15 Apr 1996 14:42:35 -0500 (CDT) From: "S.Sajjad Lateef" Subject: Stoned.Spirit Virus: How do i remove it? (PC) X-Digest: Volume 9 : Issue 53 Many PCs in my lab seem to be infected with Stoned.Spirit and I can't seem to be able to remove this. McAfee Scan 2.2.11 reports it infecting the MBR but cannot clean it and says something like "no remover available". It does not appear to be harming anything but when I run FPROT on floppies that have this virus, the disk appears to be unreadable. Patricia Hoffman's latest VSUM does not include this virus. How do I get rid of this virus? ( Side Track: Scan 2.2.11 totally messed up Normal.Dot when it was removing the Word Concept Virus from it.) Please email me directly at sajjad@uic.edu or post to this newsgroup. Thanks, Sajjad - - S. Sajjad Lateef Association for Computing Machinery at UIC sajjad@uic.edu acm@eecs.uic.edu http://www.eecs.uic.edu/~slateef http://www.eecs.uic.edu/~acm ------------------------------ Date: Mon, 15 Apr 1996 16:07:30 -0500 From: bfd1225@vax1.mankato.msus.edu Subject: 850MB HD now 333MB--virus? (PC) X-Digest: Volume 9 : Issue 53 Hi, I recently lost my HDD and possibly Bios to my first encounter with a virus. I believe it's Monkey or some variation. What happened is that all my disk sectors went bad, when I boot it says "Bad disk or non-system disk" even if there is not a disk in Drive A. When I do boot with a clean (?) disk, and go to C, there is only one file that reads 39482something then 15-3-99 and some time stamp. Also, the drive is 850MB in an IDE 486DX2/50, so it had to be specially partitioned (don't remember exactly what was done, only because of the 540MB or so limit). Now the drive claims I only have 333MB total on the disk. So, I have a couple questions: 1) Does anyone know what the virus is, if it's not Monkey or a variation I have a bad feeling that it might have physically damaged the drive. 2) What is the best protection I can get? I have F-Prot, I bought a program called PC-cillin, but it didn't detect anything (this was before the big crash). ------------------------------ Date: Mon, 15 Apr 1996 23:36:02 -0500 From: Joe Webster Subject: Re: anticmos?? Help (PC) X-Digest: Volume 9 : Issue 53 Chengi J. Kuo wrote: > philski@spirit.com.au writes: > > >help!!! I am running 486 dx4 120 award with 12 meg ram win 95. My problem > >is that I get a "checksum error defaults loaded" and/or "cmos battery > >failed" but it is a brand new mo'board and I have replaced battery since > >first occ! > > "It is a brand new mo'board" which hasn't been tested enough. > Chances are, the ports to your CMOS is bad or some of the data > lines are crossed or grounded. (Or maybe the wires from the > battery have fallen off.) Sadly, your most likely thing is > that you need to replace the motherboard. > > You don't have the AntiCMOS virus, not by your description. > AntiCMOS does not do anything to CMOS. I agree with Jimmy on your mo'board but you have two alternatives; #1. Let the machine run at least 24-48 hrs. Sometimes new boards need there batteries charged. #2. Replace the battery or add a battery pack [depending on the system board]. Even though your board is new, there is no telling how long your board has been sitting on the shelf or battery suppliers shelf. Good Luck! RZ of EZ E-Z Computers Ltd. ------------------------------ Date: Tue, 16 Apr 1996 00:00:41 -0500 From: "R. Zalk" Subject: Re: Good scanner with smallest TSR memory footprint (PC) X-Digest: Volume 9 : Issue 53 Chastain, Brian wrote: > We're beginning to have some problems with viruses here, notably the > FORM virus. While this isn't a destructive virus, it is, nevertheless, a > pain in the butt. Anyway, my boss wants me to look into virus detection > for our company. Myself and several others in my department are using > Norton's Anti-Virus, and it seems to be working nicely. > > My main concern, however, is memory overhead. The NAVTSR occupies 30K > of RAM. I took a look at F-PROT, and their TSR occupies over 40K of RAM. > > Since we're a token-ring network, and token-ring drivers are > notoriously large, we can't afford to give up that much memory. > > My question (finally!) is, which scanning program is effective, yet has > the smallest TSR footprint? I'm a firm believer in 'there is no such thing as a free lunch' and also live 'dangerously' and don't run an AV as a TSR. I use at least 3-5 AV programs and instruct clients to scan ANYTHING new coming in and even run a daily/weekly scan [yes, they're backed up!]. AV TSRs have been known to cause system problems, conflicts, and crashes. The above solution gives you more memory available and doesn't allow for the 'I have an AV TSR, what do I have to worry about' and then they get a virus. Good Luck, RZ of EZ E-Z Computers Ltd. ------------------------------ Date: Mon, 15 Apr 1996 18:08:57 -0400 From: MIKE6099@aol.com Subject: Program to backup mbr and boot sector (PC) X-Digest: Volume 9 : Issue 53 Is there a (cheap) ;) program that backs up the mbr and bootable area of a hard disk in case of a boot virus or corruption? Or is there an option like this in virusscan 95 or TBAV?? Mike6099@aol.com ------------------------------ Date: Mon, 15 Apr 1996 22:34:28 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Over 1644 Virus (PC) X-Digest: Volume 9 : Issue 53 Jean-Paul BLANC writes: >Could someone give me some information >about OVER1644 Virus ? This was a false id from a version of Scan, circa Fall95. Please update your scanner. Jimmy cjkuo@mcafee.com ------------------------------ Date: Mon, 15 Apr 1996 22:35:33 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: virus in macromedia plug-in (PC) X-Digest: Volume 9 : Issue 53 Parameshwar Babu writes: >I use Scan V.2.2.6 for dos, McAfee > >I downloaded macromedia plug-in for Netscape. >I got the report like this in my machine: > >Scanning C: [DRIVE1VOL00] >C:\NETSCAPE\PLUGINS\NP16DSW\MACROMIX.DLL > Found the SMEG virus or variant > >Is this really true? Why should Macromedia do such a thing! >I invite comments from you all. This is a false id from a version of Scan from summer of 95. Jimmy cjkuo@mcafee.com ------------------------------ Date: Mon, 15 Apr 1996 23:07:33 +0000 (GMT) From: Scott Schiller x2554 Subject: Bang virus? (PC) X-Digest: Volume 9 : Issue 53 My sister apparently has a virus by the name of "bang" on her computer. The way she describes it, her machine started acting strangely and she couldn't load certain files, and she was experiencing memory problems. She started investigating, and when she opened her win.ini file there was a message that simply said, "Bang! by " She has tried the newest versions of McAfee and Norton as well as an older version of MS Virus but none of them can find and eradicate the virus. Has anyone heard of this virus and if it can be removed, what should she use? Please respond only in e-mail as my usenet server doesn't carry the two newsgroups in which I've posted. Thanks! - -scott - - Scott Schiller (schiller@nicolet.com) Nicolet Biomedical, Inc. Madison, Wisconsin USA ------------------------------ Date: Mon, 15 Apr 1996 23:47:22 +0000 (GMT) From: Frank Zimmermann <101324.2242@compuserve.com> Subject: Multiple ParityBootA (PC) X-Digest: Volume 9 : Issue 53 I think, after (two times :-( )installing a Corel Ventura 5.0 (CD-ROM) on my hardisk, F-prot detected a multiple infection of the partition record. It therefore couldn't erase the virus. When I tried to boot up from a clean MS-DOS 6.22 (original) disk, always the parityboot was in memory (how??). Then I tried to boot up with a W95 start disk and the virus was at least not detected in memory. So I started F-prot, but as I said, it could't help. Then I ran fdisk /mbr and f-prot never more detected a virus. Did I destroy the virus or what? My hardisk: 2Mb OS/2 boot manager, 400Mb Dos/Pri, 400MbW95/Pri My CD-ROM still have some trouble with some disks after the infection; is there a connection? Thanks for every little clue, Frank. (Please answer via email too) 101324.2242@compuserve.com PS: A friend reported that his mcaffee reported recently a parityboot B on his machine. Perhaps f-prot and mcaffee see this differently and it's the same virus. - - Frank Zimmermann (PGP key on demand) 101324.2242@compuserve.com FrankZi@aol.com ------------------------------ Date: Tue, 16 Apr 1996 00:13:09 -0500 From: "R. Zalk" Subject: Re: virus or hardware problem? (PC) X-Digest: Volume 9 : Issue 53 david.j.ahnen wrote: > My sister was babysitting my brother's PC while he was out of the > country when it started to behave badly. She referred the problem > to me, but I'm not sure what I might be dealing with here. Perhaps > someone has some insight that they can lend. > > The system is a 386 16 with 4 Meg of memory. The behavior problems > consist of the system locking up not long after a reboot. The lock-up > does not discriminate against any rpobgram that may be running at the > time. It locks up both in and out of windows - while a program is > executing or while nothing is running (I come back to the keyboard > after a while and hit CR only to get no response.) I don't know if > this is a hardware problem, or if the syste