VIRUS-L Digest Sunday, 21 Apr 1996 Volume 9 : Issue 55 Today's Topics: How many viruses? Re: Need a way to automatically update Virus Checkers. Re: EliaShin (sp?) antivirus software Q: strange crash - security hole, virus or bad config? (UNIX) URGENT: Norton AV for NT erased my logical paritions (NT) Help!!! Very unstable Performa 6200 (MAC) Clean Boot Floppy (WIN95) Re: Norton Anti-virus or McAfee (WIN95) Computer gone nutz! (PC) Re: Identification (not detection): Dr Solomons vs F-Prot (PC) Re: Monkey and partitioned drives (PC) Re: Good scanner with smallest TSR memory footprint (PC) Re: Need help with whacked PC (PC) Old Tandy machine lost all files except 7 (PC) Problems after F-PROT disinfection of QUOX (PC) Re: Flesh Eating Virus? (PC) Re: Program to backup mbr and boot sector (PC) Re: A possible virus! (PC) Even Beeper virus (PC) Re: Parity boot? What should I do? (PC) Re: Identification (not detection): Dr Solomons vs F-Prot (PC) Re: Where to get a virus check up grade? (PC) Re: Help ,welcomb virus (PC) Re: Good scanner with smallest TSR memory footprint (PC) Re: Trabajo_hacer.b Virus (PC) Re: Help on DESPERADO A/B required (PC) Virus-related FAQs [long] VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 17 Apr 1996 23:06:28 +0200 From: Niklas Subject: How many viruses? X-Digest: Volume 9 : Issue 55 I'm writing a report in school about viruses, and I've read that in 1986 there were only 4 viruses and in 1991 about 1000 - so I would like to know aprox. how many viruses there were every year from 86-96. I will use this in my report and i must know where the info comes from. Please email to niklas@wineasy.se if you have any good links or stuff. (not to comp.virus) Ok, thanks! :) ------------------------------ Date: Thu, 18 Apr 1996 12:08 +0000 From: Graham Cluley Subject: Re: Need a way to automatically update Virus Checkers. X-Digest: Volume 9 : Issue 55 In-Reply-To: <01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz> Ken Griffin writes: > Can anyone help with automation? Dr Solomon's Anti-Virus Toolkit can automatically update workstations with the latest version of the software from the network (this saves an awful lot on shoe leather). I would surprise if other anti-virus products cannot do the same. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Thu, 18 Apr 1996 12:08 +0000 From: Graham Cluley Subject: Re: EliaShin (sp?) antivirus software X-Digest: Volume 9 : Issue 55 In-Reply-To: <01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz> Frank Christensen writes: > Hello! A friend at a nearby university learned they are going to be > installing an antivirus program that neither he nor I had heard about: > > "....they are installing an antivirus called "EliaShin" in > our PC labs - the main file itself is called "ViruSafe" - however, > unlike Symantec's Norton Antivirus and McAfee's VirusScan and the > Finish Datafellow's F-PROTECT, and IBM's IBM Antivirus, and/or the > British "Dr.Solomon" - I can find out NOTHING about this product, > other than it comes from Israel!" It's EliaShim actually, and their product is called "ViruSafe". You'll find them on the web at http://www.eliashim.com. I seem to recall that the latest edition of Virus Bulletin included a review of EliaShim's anti-virus software. > Does anyone have any firsthand knowledge about this product, and > possible site of reviews/evaluations? Other than the Virus Bulletin review mentioned above there are also a number of independent comparative anti-virus reviews to be found at http://www.drsolomon.com/avtk/reviews Some of these include tests of EliaShim ViruSafe. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Thu, 18 Apr 1996 01:32:53 +0000 (GMT) From: David Saunderson Subject: Q: strange crash - security hole, virus or bad config? (UNIX) X-Digest: Volume 9 : Issue 55 We have a SPARC 10 running Solaris 2.4 that has been running stable for months. Then it began to hang, not crash, without a clue to its cause. This would happen once every few days. Questions: Could it it be "virus" ? (Please don't send me replies explaining the difference between virus, worms, trojan horses, etc.) Is there such thing as a Sun/Unix "virus" ? Are UNIX virus checkers available? Are cleaners? If you have information or can point me to some white papers, it would be appreciated. Thanks in advance Please reply to : saskgeo@unibase.unibase.com And I will summarize in two weeks if there is any interest. ------------------------------ Date: Sat, 20 Apr 1996 20:22:12 +0000 (GMT) From: Hyun Subject: URGENT: Norton AV for NT erased my logical paritions (NT) X-Digest: Volume 9 : Issue 55 I ran Norton AV and my system came out clean except for one boot sector. It reported that one of my master boot record was infected with the new NYB virus. So I had it cleaned. After this was done, the secondary partitions (h:, i:) on my second drive disappeared. NT and Fdisk(DOS) reports that I only have the primary partition on my (1.2gb) wetern digital drive. However, within file manager (both win3.11 and NT) tells me that the d:\ drive is only 544mb and that I do not have h: or i:. Is there a way to get back the lost logical drives? Please say yes, please. Please reply via e-mail as soon as possible. I was currently working on a school project which disappeared with the logical drives. Thanks a bunch. ------------------------------ Date: Thu, 18 Apr 1996 05:00:18 +0000 (GMT) From: Jason Alan Blough Subject: Help!!! Very unstable Performa 6200 (MAC) X-Digest: Volume 9 : Issue 55 I have a Mac performa 6200CD and I'm having all kinds of problems. Macs have a tendency to freeze or lock up from time to time, right? This one used to do that, but now it freezes up all the time. It once took me a half an hour to get it to start because it kept freezing up. It doesn't lock up on any specific application. It happens at any time, no matter what I'm using. It goes in streaks too. Sometimes it will lock up over and over again and sometimes it works fine. (I hope I didn't just jinx myself, I'm using the above named unit now!) At one point it would act like it was starting up (the power light came on and you could hear it booting up) but the monitor never showed anything. It stayed black (yes, it was on). I had to completely reset at this point. It also sometimes plays the beginning of the twilight zone sometimes when I first start it. Isn't this a crash notice? Anyway, does anyone know of a virus that may be causing this? Some people think it may be the system software (7.5.1). I'm in the process of getting the upgrade (7.5.3). It just seems strange to me that it worked fine for a couple of months before it acted up. Any other suggestions? I am not a regular visitor of this group, so I'm sorry if this topic has been beat into the ground. Along the same lines, please respond to me directly or I may not get the message. TIA!! Jason jblough@bgnet.bgsu.edu ------------------------------ Date: Wed, 17 Apr 1996 22:22:02 -0400 From: Larry Frank Subject: Clean Boot Floppy (WIN95) X-Digest: Volume 9 : Issue 55 Can a clean boot floppy be created using Win'95 or should it be created using an older version of dos? Why? Thanks Larry Frank ------------------------------ Date: Thu, 18 Apr 1996 12:12 +0000 From: Graham Cluley Subject: Re: Norton Anti-virus or McAfee (WIN95) X-Digest: Volume 9 : Issue 55 In-Reply-To: <01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz> Sachi Noma writes: > which is better under win95:norton anti virus or McAfee? Depends what you mean by better. Better user interface? Better speed? Better detection of viruses? Better identification of viruses (NB: different from detection)? Better clean-up of viruses? Better on-access interception of viruses? Better technical support? Better support for compressed and archived files? Better detection of new and unknown viruses? Better at avoiding false alarms? Better price? It seems most people mean "better detection" when they ask which is "better". There are some independent comparative reviews of Win95 anti-virus software at http://www.drsolomon.com/avtk/reviews. They include tests of the products you mention above. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 17 Apr 1996 19:53:33 -0400 From: Cheshire Subject: Computer gone nutz! (PC) X-Digest: Volume 9 : Issue 55 Recently, my entire harddrive crashed. I loaded dos, did a scan disk and 400mb of HD space were gone!Just disappeared! So I reload everything and i get mem parity errors. I finally had to replace all my mem. WAS this a virus? Im just curious. Im new to the virus world. BTW: It said my C: drive was unlocatiable before loading dos. ------------------------------ Date: Wed, 17 Apr 1996 17:53:51 +0000 (GMT) From: Iolo Davidson Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC) X-Digest: Volume 9 : Issue 55 In article <0018.01I3NQQ7OQ0KSKU6UC@csc.canterbury.ac.nz> mramey@u.washington.edu "'Mike' M Ramey" writes: > Iolo, Graham, Dr. Solomon, and development folks at S&S: I am not an S&S employee, and have no influence on their development decisions. > Please print an *explicit* message in the FindVirus output that > *clearly* indicates the occurrance, cause, and consequences of switching > into "review" mode. The word "like" is *not* a substitute for a clear > explanation of what is going on! The word "like" is not an indicator for review mode. The word "like" means that the virus has not been precisely identified by the extra thorough checksumming method that FindVirus normally uses. This can mean that you are in review mode, or it can mean that you have a variant of the virus that does not match the checksum. > I have sent you messages in the past (and I will send you more soon) > about the lack of clarity (or inaccuracy) of messages from the FindVirus > program. The message is accurate. Since the precision checksumming turns off after 10 different viruses are encountered, FindVirus no longer says that viruses are "identified as" whatever precise virus variant name, but says that they are "like" whatever main virus name. This does not miss any viruses, nor does it increase the possibility of false alarms. It just doesn't distinguish precisely between the different variants of a particular virus. This review mode only happens when more than ten different viruses are found during a scan. That means that it is extremely unlikely to happen to any real user, but only when someone is running FindVirus on a large collection of viruses. Findvirus' precise identification checksumming is an extra level of precision not found in other anti-virus scanners. It is really only needed during repair, or when reporting a virus name to tech support, neither of which are applicable to the situation when someone runs a scanner on a large collection of viruses. If a user has more than ten viruses on his machine, no doubt he will run FindVirus /REPAIR to get rid of them. The /REPAIR switch stops FindVirus going into review mode, because it uses the precise identification to do repairs. There really isn't any downside to this. - - CUTIE INVITED OF WHISKERS VARSITY HOP PARTY A FLOP GUY FULL Burma-Shave ------------------------------ Date: Thu, 18 Apr 1996 01:49:48 +0000 (GMT) From: Bruce Burrell Subject: Re: Monkey and partitioned drives (PC) X-Digest: Volume 9 : Issue 55 Minor technical nitpicks follow. If you don't care, press "N" now. Stefan Kurtzhals (kurtzhal@wmwap1.math.uni-wuppertal.de) wrote: > >Here's how it is. If you have Monkey on a multi partitioned (yes > >Double / Drive Space users, that means you), and you run FDISK /MBR, > >it is gone. You have to reformat and start over. I know this > >because I sent my computer in, and those idiots ran FDISK with the > >MBR command, and shot my hard drive out of the water. > > Well, the FDISK /MBR deleted all the data not because of DBLSPACE > or DRVSPACE but because Monkey uses a special way to infect the > partition sector. (Or at least it changes the sector in a > special way) Right. No data are deleted under normal circumstances, but might be with dirvers like Disk Manager. In that case, though, the drive is unlikely to boot immediately after infectio