VIRUS-L Digest Sunday, 5 May 1996 Volume 9 : Issue 63 Today's Topics: ! alt.comp.virus Mini-FAQ - PLEASE READ BEFORE POSTING ! Re: Is virus writing illegal? Re: How to disable Word AutoMacro (MAC,WIN) Re: Drive Space 3 Problems (WIN95) Help with Welcomb on Win95 install diskettes (WIN95) Re: Tentacle Virus (WIN) Partition virus which slows/kills floppy drive? (PC) Screen shaker 5th (PC) NAV and F-PROT problems with NYB (PC) Trojan.Sc Check?? (PC) Stoned Monkey Virus (PC) Re: Remover for Manzon virus (PC) Re: Concept Virus and sick laptop? (PC) Re: NYB Virus (PC) TBAV: Possibly infected by an unknown virus (PC) Need Help-Anti-CMOS A Virus (PC) Re: Stoned Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 29 Apr 1996 07:44:33 +0000 (GMT) From: George Wenzel Subject: ! alt.comp.virus Mini-FAQ - PLEASE READ BEFORE POSTING ! X-Digest: Volume 9 : Issue 63 ALT.COMP.VIRUS Mini-FAQ (version .99e) Maintained by George Wenzel **Copyright notice: This document is copyrighted and may not be modified in any way or sold. It may be freely distributed providing all sections are intact and complete.** When asking for help, the more relevant information you give, the more help can be returned. It helps to: * Run more than one antiviral scanning program. Some do make mistakes. * If you're running more than one anti-virus product, please list them (including version number), and say what each one said about the possible virus. * Say what the symptoms are. If you ran some software that gave you a message, tell us which package, version number, and the exact wording of the message. You *cannot* be too detailed. * Please be as accurate as possible about the order in which events happened. * Give any other configuration information which you think may have a bearing. * Please consider the possibility that whatever you are seeing might *not* be a virus. Don't reformat, low-level format, or FDISK, before posting: it's most unlikely that this will be necessary. Don't use FDISK /mumble unless you know EXACTLY what you're doing - you could lose access to your hard drive. Don't just ask "I've got xyz virus, can anyone help me". Messages asking for help posted to alt.comp.virus are more likely to receive a useful response if they conform to accepted standards of civility. The newsgroup news.announce.newusers includes information on good newsgroup etiquette, or try ftp://rtfm.mit.edu/pub/usenet/news.answers http://www.fau.edu/rinaldi/netiquette.html Basic answers to common questions: 1) The Good Times virus that supposedly damages hardware is a hoax. 2) We know about the PKZIP 3.00 trojan, and have no idea where it is available. 3) We can't tell you definitively which is the best anti-virus software. Many shareware/evaluationware programs are available from http://www.valleynet.com/~joe/ Vendor contacts and comparative reviews at http://www.virusbtn.com/ 4) No known virus can damage hardware, nor is it likely for one to exist. 5) Testing your defenses with a real virus is not generally a good idea. Most reputable anti-virus packages will now trigger an alert if tested with a file containing the following text X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* and given a filename with a .COM extension. Running the file displays the text EICAR-STANDARD-ANTIVIRUS-TEST-FILE. Most anti-virus researchers and practitioners consider virus simulators unnecessary and unsuitable for this task. 6) There are answers to most frequently asked questions in the following FAQs: alt.comp.virus FAQ - ftp://ftp.gate.net/pub/users/ris1/acvfaq.zip comp.virus - FAQ -ftp://cs.ucr.edu/pub/virus-l/vlfaq200.zip macrovirus FAQ - ftp://ftp.gate.net/pub/users/ris1/word.faq A shorter version of the comp.virus FAQ is posted monthly to comp.virus. The other two are posted more or less regularly to alt.comp.virus. 7) Before you ask about what a specific virus does, try: http://www.drsolomon.com/virus/enc/enc.htm http://www.datafellows.com/v-descs/ http://www.datarescue.com/avpbase/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/ all of which carry virus databases and links to other sites. Disclaimer The authors accept no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Copyright Notice We made this information freely available, and maintain it. Please don't abuse our work by using it for profit without contacting the contributors. Contributors Bruce Burrell (bpb@umich.edu) Graham Cluley (gcluley@uk.drsolomon.com) David Harley (harley@icrf.icnet.uk) Robert Slade (roberts@decus.ca or rslade@vcn.bc.ca) Alan Solomon (drsolomon@drsolomon.com) Maintained by George Wenzel (gwenzel@gpu.srv.ualberta.ca) ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`)Student of Wado Kai Karate (_Y_.)' ._ ) `._ `.``-..-' University of Alberta Karate Club _..`--'_..-_/ /--'_.' ,' NETSCAPE GOLD RUSH CONTEST WINNING PAGE: (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Sat, 04 May 1996 17:07:44 -0600 From: Bruce Ediger Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 63 "Joseph M. Spreng" wrote: : If it's not it should be! I'm not sure I understand. "Illegal" entails putting a statute of some sort in place. Statutes in most countries have elaborate definitions of the what constitutes the illegal act. If you define "computer virus" and make writing a program that fits that definition an illegal act, you'll probably make compiler writing illegal, too. Maybe even make writing operating system boot blocks illegal. ------------------------------ Date: Sat, 04 May 1996 17:00:04 +0000 (GMT) From: Jon Williams Subject: Re: How to disable Word AutoMacro (MAC,WIN) X-Digest: Volume 9 : Issue 63 In article <0015.01I4BWNT3JS4SKVUM0@csc.canterbury.ac.nz>, Sergei A. Golubchik wrote: >Goro Miyano wrote: > >>The computer lab I work for has been attacked by Macro Virus. >>I didn't save the edit you make to normal.dot to disable AutoMacro. >>Could someone e-mail me how it's done? I appreciate it. > >the simplest way to disable AutoMacro is to hold Shift key while >loading Word. AutoMacro will be skipped. > >(May be the key is not - I don't remember, >but you may find it in Word Help file: read about Auto Macros ... ) I believe you are speaking of creating a macro which disables AutoRun macros. This can be done in TOOLS--MACRO by creating a macro titled 'AutoExec'. The command line in AutoExec is 'DisableAutoMacros' (should come between 'Sub Main' and 'End Sub'. PLEASE NOTE: This is a stopgap measure. It will not stop macroviruses which don't rely on the AutoRun command (such as Colors), nor will it do anything for you if a document is opened by double-clicking on the document. A better approach is the ScanProtect macro package (downloadable from Microsoft). An even better approach is antivirus software capable of detecting macroviruses, with the latest definitions, set to scan any file opened, created, or run. Jonathan Williams ------------------------------ Date: Sat, 04 May 1996 19:43:04 +0000 (GMT) From: Alex Ross Subject: Re: Drive Space 3 Problems (WIN95) X-Digest: Volume 9 : Issue 63 Ken Stieers wrote: >I'd bet my eyeteeth that this isn't viral. If the data that's in the >DriveSpace 3 volume isn't critical, I'd wipe the drive completely and >start over. I also wouldn't use DriveSpace in the future, disk space is >too cheap to go through the hell you are going through now. If the data >is critical you may have to look at data recovery. Once a DriveSpace file >is corrupted, it can be extremely difficult(maybe impossible) to get the >data out without special tools. We (Ontrack) can do it, and I assume a >few other DR firms can as well. Hmm... I just installed Plus95.. so what your saying concerns me!! I use a laptop.. and HD disk upgrades are expensive!! I never had any problems with Doublespace on my old machine.. why should this Drivespace be any different.. anything I should know? By the way I've not run DS yet.. I am thinking about it!! Anyone got any horror stories to change my mind!! Alex. ------------------------------ Date: Sat, 04 May 1996 19:41:53 +0000 (GMT) From: Mutsuo Tsunoda Subject: Help with Welcomb on Win95 install diskettes (WIN95) X-Digest: Volume 9 : Issue 63 When I tried to install win95 from the setting up diskette disk No.3 got the welcomb from my harddisk. And now I cannot install any more. Do anyone know how to get rid of this virus from my setup disk? Mutsuo mutsuo@singnet.com.sg ------------------------------ Date: Sat, 04 May 1996 17:25:17 +0000 (GMT) From: Colin Bailey Subject: Re: Tentacle Virus (WIN) X-Digest: Volume 9 : Issue 63 Fred Warren wrote: >I've got it, any shareware programs that can get rid of it??? Yup, try www.sands.com, get the new eval antivirus toolkit, supports tentacle, finds it, but wont kill it, you need to delete and reinstall the contaminated files. regards -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- - Colin Bailey ----- SYSOL - System solutions - - Colin@colb.demon.co.uk ----- SYSOL - Network Integration ------------------------------ Date: Thu, 02 May 1996 15:04:40 +0000 (GMT) From: Steve Roberts Subject: Partition virus which slows/kills floppy drive? (PC) X-Digest: Volume 9 : Issue 63 We appear to have a virus which has the effect of slowing down the floppy drive to a crawl, or, with other disks, we cannot read the disk at all. We have tried the latest versions of Fprot and VET and somewhat older versions of DrSolomons and these cannot detect the infection. However DrSolomons CleanPar removes the infection from the hard disk, and CleanBoo (we believe!) from floppies. But, of course, we do not know what else the beastie might be doing, or if it is on PCs without the slow floppy symptoms. Is this a known virus? Is there any way of detecting it? Any suggestions gratefully received! Steve. ------------------------------ Date: Fri, 03 May 1996 01:57:28 +0000 (GMT) From: BangBang Subject: Screen shaker 5th (PC) X-Digest: Volume 9 : Issue 63 Has anyone come across the above virus? It has attached itself to all my dos files and most of my utilities(.com & .exe). When an infected prg. is run, it stays memory resident and hooks into the interrupt timer. My screen shakes and the pc speaker goes wild. None of the programs i tried would find it. ------------------------------ Date: Fri, 03 May 1996 15:51:09 -0400 From: CICSTAFF CICSTAFF Subject: NAV and F-PROT problems with NYB (PC) X-Digest: Volume 9 : Issue 63 I have been getting my ass kicked by a group of viruses, here at my center. I have the latest Norton, but it doesn't pick up anything. When I use F-prot of a floppy, it tells me that the boot sector is infected with the NYB virus, when it goes in to disinfect, it goes into a loop....and finally just says "Virus can not be removed-Original MBR was not found". When I run Fdisk /MBR, and re-run F-prot the same thing happens. F-prot also fails to didinfect the concept virus in Word 6, it reports it, but it doesn't give u any options to clean or disinfect. Any suggestions. ------------------------------ Date: Fri, 03 May 1996 00:28:58 -0400 From: Larry Mecca Subject: Trojan.Sc Check?? (PC) X-Digest: Volume 9 : Issue 63 Has anyone ever heard of the "Trojan.sc check" virus? It was identified by VPCScan as such. I can't find refrence to it anywhrere, i've tried the list's included with F-Prot, McAfee, Norton, and the V-Sum listings. I came up with nada; hence my post. Any help would be appreciated. VPCScan is a commandline DOS program so it doesn't have a Virus list (before someone asks if I checked thata). ------------------------------ Date: Fri, 03 May 1996 07:16:36 -0400 From: Zach Rosen Subject: Stoned Monkey Virus (PC) X-Digest: Volume 9 : Issue 63 I recently found and cleaned Stoned Monkey Virus from my c: drive with f-prot. Can this virus be transmitted by email? I am having a difficult time tracing where it came from? The reason why I am asking I recently received a suspicious email from an unidentified source telling me to do whatever if I wanted to make a lot of money through the internet. The email said if I wasn't interested, to delete the message, which I, unfortunately did. Any opinions on this? Thank you. Zach ------------------------------ Date: Sat, 04 May 1996 18:40:27 +0000 (GMT) From: Iolo Davidson Subject: Re: Remover for Manzon virus (PC) X-Digest: Volume 9 : Issue 63 In article <0038.01I4BWNT3JS4SKVUM0@csc.canterbury.ac.nz> ad792@FreeNet.Carleton.CA "Eric Blace" writes: > If F-Prot cannot handle the problem, can anyone recommend a > product that will handle Manzon. I don't know if the latest F-Prot will remove this virus or not, but the latest Dr. Solomon's will. You can get an evaluation copy of the scanner/remover part of Dr. Solomon's Toolkit (FindVirus) from: http://www.drsolomon.com - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Sat, 04 May 1996 18:28:28 +0000 (GMT) From: Iolo Davidson Subject: Re: Concept Virus and sick laptop? (PC) X-Digest: Volume 9 : Issue 63 In article <0033.01I4BWNT3JS4SKVUM0@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > The Concept macro isn't worth all the hassle and nonsense connected with > its detection and cleaning. All that you need to detect and remove > Concept, if it bothers you at all, is Word itself and a few keystrokes. > > Regards, Zvi > - -------------------------------------------------------------------- > NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Do I understand from the above that Invircible can't detect or remove Word Macro viruses, and your users are therefore required to go through "all the hassle and nonsense" required to learn how do it by hand? Concept doesn't have much of a payload, but there are Macro viruses that damage or delete data, and there will be lots more Macro viruses. Any anti-virus that ignores them is not serving its customers. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Sat, 04 May 1996 14:03:58 -0700 From: Edward Tang Subject: Re: NYB Virus (PC) X-Digest: Volume 9 : Issue 63 Harry Clendening wrote in Digest: Volume 9 : Issue 62 >> Need information on NYB Virus. Understand it is 512 bytes long and >> infects boot sectors. Would like to know specifically what it does and >> how one might get rid of it. Help would be appreciated. > >I recently encountered the NYB Virus on one of our Windows 95 >workstations. I used the DOS version of SCAN to successfully >clean the PC. Sorry, I'm not at work, and cannot verify >exactly what the NYB virus does? The NYB virus caused my system not to recognize my CD ROM drive, slowed it way down during boot, and generally annoyed the heck out of me...... = Ed - ---------------------------------------------------------------------- I can be reached at - edtang@halcyon.com bd971@scn.org gv820@cleveland.freenet.edu bz402@freenet.uchsc.edu zapman@cyberspace.org ------------------------------ Date: Sat, 04 May 1996 16:41:44 -0400 From: Poon Jacob Tin Hang Subject: TBAV: Possibly infected by an unknown virus (PC) X-Digest: Volume 9 : Issue 63 In my recent use of TBScan 7.01, when scanning a file named com2exe.exe (found in compack 4.5 package), it says it's possibly infected by an unknown virus, regardless of heuristics settings. However after unpacked it with UNP it didn't happen anymore. It seems that TBAV need some work on unpacking crypted/compressed executables (especially crypted ones, which generates a lot of false positives). BTW the com2exe.exe is compressed by, as expected, compack 4.5 compressor. ------------------------------ Date: Fri, 03 May 1996 15:55:58 +0200 From: peterle@muc.de Subject: Need Help-Anti-CMOS A Virus (PC) X-Digest: Volume 9 : Issue 63 I am DESPARATELY seeking Anti-CMOS A info and help. I have no way of presently accessing the WWW...but I need help in a bad way.... the computer is seriously lost in la la land. Upon start up it works until the beginning of Win 95 ...though no ICONS show up and then it just hangs there and does absolutely nothing....no matter what....(it asks for password fine ect....but then come a blue screen and nothing). Can anyone help me or give advice? If there have been previous postings regarding this could somebody who still has them email them to me? I would be immensly grateful! Thank you a quadruple Zillion and a half in advance.... Peter Zimmer PS Please Email to me as I can not access this easily. peterle@muc.de [Moderator's note: Yes, I am reposting this--I screwed up the linewrapping last time and many wouldn't have been able to read it.] ------------------------------ Date: Sun, 05 May 1996 02:30:22 -0400 From: Xroot Subject: Re: Stoned Virus (PC) X-Digest: Volume 9 : Issue 63 Most copies of this virus I've seen only replicate- it has no activation phase, however a new, hacked version is always possible. Booting from a clean disk and then using the DOS SYS command on all infected disks is all that is required to kill this boot infector. ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 63] *****************************************