VIRUS-L Digest Wednesday, 8 May 1996 Volume 9 : Issue 65 Today's Topics: Re: help- possible virus that causes auto reboot JAVA WARNING Re: Kanji Interface Re: Flash Bios Virus anyone? Re: Standardizing names again. Re: Internet Anti-virus Software Comparison Report?? Legal Help--U.S. Statute for Destroying Computer Software Re: What to buy for NT server and win95 wkstns (NT) Stoned.Empire.Monkey.B and DriveSpace 3 (WIN95) Re: Norton Anti-Virus & Optimizing system performance (WIN) Re: Remover for Manzon virus (PC) Re: Concept Virus and sick laptop? (PC) Re: Possible Virus? DeskJet 500C prints happy faces (PC) Re: Jumper (was Re: NYB Virus) (PC) Re: Partition virus which slows/kills floppy drive? (PC) Re: NAV and F-PROT problems with NYB (PC) Help, files increased by 98 bytes (PC) Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) Re: Identification (not detection): Dr Solomons vs F-Prot (PC) Re: Master Boot infections on Compaq / IBM systems (PC) Re: TBAV: Possibly infected by an unknown virus (PC) Re: Concept Virus and sick laptop? (PC) Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) Re: Identification (not detection): Dr Solomons vs F-Prot (PC) Re: NAV and F-PROT problems with NYB (PC) Re: Anti-CMOS A (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 06 May 1996 15:03:52 +0000 (GMT) From: William Robert Night Subject: Re: help- possible virus that causes auto reboot X-Digest: Volume 9 : Issue 65 DarStec (darstec@aol.com) wrote: : In article <0009.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz>, "Chengi J. Kuo" : >ebbtide@cris.com writes: : > : >>I am having a problem that I think might be a virus. Without even : >>touching my computer, not even running a program, the computer re-boots : >>itself. Sometimes I can be in the middle of running a program and it : >>happens. There doesn't seem to be any rhyme or reason, it just reboots. : >> : >>Has anyone had the problem? Are there any ways to correct it? There are many possibilities, the least likely of which is a virus. (most viruses try to hide until the activate, then do something really big to get your attention...) Perhaps the CPU is overheating. This is a problem on a lot of 486s and Pentiums which generate a lot of heat and were often sold with cheap fans (if at all). Does the problem happen only after the computer has been on for a while? Does it start to occur more frequently the longer you leave it on? If it has these symptoms (and it doesn't take long, only 5 min or so to overheat from when you turn it on) then you could try opening up the case and touching the CPU just after turning off the computer, the CPU should be cool enough that you can hold your hand on it. BTW: This is assuming that you've tried a few obvious things like reseating the cards, fiddling with wires to make sure they're attached, etc. If not, try this... Many problems go away after a little 'fiddling'. ------------------------------ Date: Mon, 06 May 1996 08:59:30 -0700 (PDT) From: Jared Williams Subject: JAVA WARNING X-Digest: Volume 9 : Issue 65 >Date: Mon, 6 May 1996 00:31:05 -0700 >To: merchants@mail-it.com >From: davidlee@idirect.com (Monica Reyes) >Subject: [ MERCHANTS ] JAVA WARNING >Sender: owner-merchants@mail-it.com >Reply-To: merchants@mail-it.com > > >I believe this information is important enough to warrant my sending it to >the forum. I have personally checked it, it's not a hoax, it is real. If you >feel it's useless to you, I apologise for taking up the space in your email >... otherwise, merchants doing business on the net, whose livlihood depends >on a clean computer system ... like me, please read and take the necessary >precautions. >I still believe that information like this is vital to keep all our >merchants safe. > > >Deadly Black Widow on the Web: >Her Name is JAVA > >"Don't trust Java online" That's the message from computer >and Internet security watchdogs, in response to reports that >"hostile" Java applets are stalking the WWW. These malicious >applets can destroy data, interfere with mission critical intranets, >and gain access to sensitive data. > >"The situation is scary," said Stephen Cobb, Director of Special >Projects for the National Computer Security Association (NCSA). >"Software companies are releasing products on the Internet without >even considering the hacker perspective. Enterprise IT managers >have to understand there is a real danger allowing users to freely >access the WWW. They have to set up policy now to prevent users >from downloading malicious applets and viruses. Users should only >be allowed to access trusted domains and Web sites." > >According to the NCSA, "a malicious 'applet' can be written to >perform any action that the legitimate user can do. The security >enhancements announced by Sun Microsystems and Netscape do not >fix this flaw CERT (Computer Emergency Response Teams) >recommends disabling Java in Netscape Navigator [only Netscape >browsers are at issue] and not use Sun's 'appletviewer' to browse >untrusted web sites until patches are made available from the >vendors." The warnings apply to Netscape Navigator 2.0 and 2.01, >and Sun's HotJava browser. > >And according to a white paper being released by researchers at >Princeton University, "The Java system in its current form cannot >easily be made secure." The scientists, Drew Dean, Edward Felten >and Dan Wallach, will present their white paper at the 1996 IEEE >Symposium on Security, which starts in California Monday, May 6. > >According to the scientists, and other sources interviewed by Online >Business Consultant (OBC), innocent surfers on the Web who download >Java applets into Netscape's Navigator and Sun's HotJava browser, risk >having "hostile" applets interfere with their computers (consuming RAM >and CPU cycles) or, worse, having an applet connect to a third party on >the Internet to upload sensitive information from the user's computer. > >The scientists say that even firewalls, software designed to fence-off >LANs and Intranets from cyberthugs, are ineffective against the malicious >Java code . . . "because the attack is launched from behind the firewall." > >This information was made public some weeks back. However, the >browsing public, and particularly online business users, are ignorant >of the Java risks. In a survey conducted by OBC the vast majority of >Netscape users had no idea that Java applets presented a grave risk, >and many felt the proponents of Java as an Internet technology, >particularly Sun Microsystems, Inc. and Netscape Communications >Corporation, were not paying enough attention to the issue. "I have to >report this information to my senior executives," said one IT manager. >"They are especially anxious to have clarity on the (Java) security issue." > >"They are hoping the security issues will just go away," said another >responder, one of the few who has researched the security issue. "But it >will not. The hackers will continue to find the loopholes and exploit >the opportunities." > >OBC also interviewed hackers who have designed Java applets to turn >cancerous at a future date. Said one hacker: "Even legitimate Java applets >can be targeted on the Web and attacked. I have written a Java virus that >changes one line of code in a Java applet to render it useless." [A sample >of this type of hostile code is included in the complete Java report in the >May issue of OBC] > >A computer security expert, Mark Ladue, has set up a "Hostile Applets" >site on the Internet. The site is a free service to alert business to the >potential >dangers. "I've read that article by Dean, Felten, and Wallach, and I agreed >with what they had to say as far as they went, but I would paint the picture= > a >little more darkly. It's to the business community that they (Java applets)= > pose >the most serious threat." > >Back in March the Princeton group released the following Java report to >Sun Microsystems, Netscape and Cern: "We have discovered a serious >security problem with Netscape Navigator's 2.0 Java implementation. >[The problem is also present in the 1.0 release of the Java Development Kit >from Sun] An applet is normally allowed to connect only to the host from >which it was loaded. However, this restriction is not properly enforced. A >malicious applet can open a connection to an arbitrary host on the Internet. >At this point, bugs in any TCP/IP-based network service can be exploited. >We have implemented (as a proof of concept) an exploitation of an old >sendmail bug [to reproduce the problem]. > >Sun issued a patch that plugs the possibility of "spoofing." Netscape >modified its software (in version 2.00). However, Netscape's Navigator is >readily available in stores and countless millions of World Wide Web users >have no idea they are at serious risk. To date OBC has been unable to obtain >official response from Sun or Netscape. The following security claim is >extracted from their original white paper on Java: > >"Java is intended to be used in networked/distributed environments. Toward >that end, a lot of emphasis has been placed on security. Java enables the >construction of virus-free, tamper-free systems. The authentication= > techniques >are based on public-key encryption." > >However, the Princeton group states otherwise, "If the user viewing the >(Java) applet is behind a firewall, this attack can be used against any= > other >machine behind the same firewall. The firewall will fail to defend against >(Java) attacks on internal networks, because the attack originates behind= > the >firewall. > >"The immediate fix for this problem is to disable Java from Netscape's >'Security Preferences' dialog. An HTTP proxy server could also disable >Java applets by refusing to fetch Java '.class' files. We've sent a more >detailed >description of this bug to CERT, Sun, and Netscape." > >In light of this information, OBC feels it is prudent to avoid using the >Netscape Navigator browsers and logging on to insecure Java sites on the >Internet until complete safety can be confirmed. > >The complete Java report in the May issue of OBC also exposes the >mounting dangers of email being attacked by "Trojan horse" Java applets. > > ># # # > >The report above may be reprinted with credit provided as follows: > >Home Page Press, Inc., http://www.hpp.com and Online Business Consultant > >Please refer to the HPP Web site for additional information about Java and > OBC. > >............Home Page Press, Inc. http://www.hpp.com home of Go.Fetch >........Free TEXT version - Online Business Today email: obt.text@hpp.com >....Free PDF version - Online Business Today email: obt.pdf@hpp.com >OBC / Online Business Consultant, $595/year email: obc@hpp.com > >Thank you for your time > Jared Williams ------------------------------ Date: Mon, 06 May 1996 19:23 +0000 From: Graham Cluley Subject: Re: Kanji Interface X-Digest: Volume 9 : Issue 65 In-Reply-To: <01I4CWUWWHQGSKVUM0@csc.canterbury.ac.nz> Hannah Daley writes: >I have some customers in Japan that are looking for a virus scanning >software product that reads code created with Kanji characters. I'm not quite sure what you mean by "reads code created with Kanji characters", but I do know that there is a Kanji version of Dr Solomon's Anti-Virus Toolkit available for Japanese PCs (they tend to be quite different from Western PCs). Here are the details of our Japanese representatives: Jade Corporation Ltd 3-6-11 Tokiwa-Cho Shizuoka City Shizuoka 420 Japan Tel: +81 54 252 0085 Fax: +81 54 221 0282 Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Mon, 06 May 1996 22:12:43 +0000 (GMT) From: Wayne Riddle Subject: Re: Flash Bios Virus anyone? X-Digest: Volume 9 : Issue 65 "NIS Service Dept." wrote: >Micron Computers is spreading a rumor that there is a beast known as a >Flash Bios Virus that is hosing up computers the world around. I know >nothing more than this - I was hoping someone else had a little more >info... Probably how Micron is explaining the problems they have been having with their systems. Wayne Riddle riddler@agate.net http://www.agate.net/~riddler ------------------------------ Date: Mon, 06 May 1996 23:13:30 +0000 (GMT) From: Ken Stieers Subject: Re: Standardizing names again. X-Digest: Volume 9 : Issue 65 In article <0006.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz>, vfreak@skn.net says... >The Frodo virus is even worse because there are at least three names for >this virus. > 4096 (Scan) > Frodo (F-Prot) > 100 year virus (CPAV) And I think the CARO name for this is FRODO.4096? When I was at McAfee the name issue came up several times and I know that the names were slowly being changed as time permitted. These days as soon as an official CARO name is decided for new viruses that's the name that gets assigned, but I don't know what how big the backlog is. Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prairie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Mon, 06 May 1996 20:40:26 -0500 From: ConnieTX Subject: Re: Internet Anti-virus Software Comparison Report?? X-Digest: Volume 9 : Issue 65 Andre Xavier wrote: > I'm trying to setup a internet and Intranet for my company and we are in > the stage of searching a right Internet Anti-Virus solution for our > network(You don't what will happen next to your network right!!?). > > Please... Anyone came across any comparison/report on internet Anti-virus > software or solution. I'll be very greatful if you can let me know!! When you check out the programs at http://www.tucows.com there is a rating for the programs they have. Good luck - - Connie Schilke Nielsen maestra@sprynet.com To teach is to touch a life forever. Ense ar es tocar una vida para siempre. ------------------------------ Date: Tue, 07 May 1996 03:42:07 +0000 (GMT) From: ken wilson Subject: Legal Help--U.S. Statute for Destroying Computer Software X-Digest: Volume 9 : Issue 65 I heard that it is Now Federal Law that prohibits the Destruction or attempted destruction of a Computer or Software on a computer not owened by you is this True would anybody have the statute (? ) number or where I could quickly look it up? Or And could anyone give me some Insight to this Issue. and possiably the date it took effect? As I attempt to prepare to the best of my ability a case aginst repeated attempted damage to my equipment. I work a regular job during the day and cannot always follow up on threads but this one I will try. BUT I would greatly appreaciate E Mail from someone pointing me in the right direction. as I dont know where to Look... Thank You Ken Wilson kgw@pacifier.com ------------------------------ Date: Mon, 06 May 1996 19:42:59 +0000 (GMT) From: Iolo Davidson Subject: Re: What to buy for NT server and win95 wkstns (NT) X-Digest: Volume 9 : Issue 65 In article <0007.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> ssl@iconz.co.nz "SSL" writes: > No need to update every month, Oh? When Word macro viruses came along, Invircible had to have a facility added to detect them. If you have an earlier version, you can't detect these very prevalent viruses. > no TSR's or NLM's, Pity. Won't run on a Novell server, then. > and has superior dection and recovery facilities. The "recovery facilities" for Word macro viruses consist of manual instructions on how to delete infected macros by hand. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Mon, 06 May 1996 19:09:31 -0500 (CDT) From: Russell Smith Subject: Stoned.Empire.Monkey.B and DriveSpace 3 (WIN95) X-Digest: Volume 9 : Issue 65 Well I got my chance sooner than I expected to see how a virus behaves on a Drivespaced 3 WIN95 machine. It was the tricky Monk and he hid very well from the disinfection attempts of FPROT (could not see the hard drive even with /HARD parameter). So I pulled out Tim Martin's Killmonk version 3.0 and whacked the ape. This was done without a clean floppy boot as one was unavailable. I made one on another Drivespaced 3 machine, but it did *NOT* work to boot up into Windows...merely got to A: prompt and drivespaced drive was inacessible. To be fair the two different Drivespaced machines were very different PCs (the dirty one was a Dell P75 desktop and the clean one I made a disk from was my T.I. 4000M laptop). So get the Killmonk 3.0 postcardware program and keep it in your arsenal. It's available at: Linkname: SimTel, the Coast to Coast Software Repository (tm) URL: http://simtel.coast.net/SimTel/msdos/virus.html Filename: ftp://ftp.coast.net/SimTel/msdos/virus/killmnk3.zip Later, Russell Smith rssmith@tenet.edu rssmith@camalott.com Region 14 ESC Abilene, Tx Edtech Consultant, Certified teacher, Journalist ------------------------------ Date: Mon, 06 May 1996 19:53:45 +0000 (GMT) From: Iolo Davidson Subject: Re: Norton Anti-Virus & Optimizing system performance (WIN) X-Digest: Volume 9 : Issue 65 In article <0012.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> wjg109@psu.edu "Bill Gallagher" writes: > Does anybody know what settings can be used in NAV to allow for > good virus protection, and minimal system degradation. Generally speaking, changing the settings to get better speed will always reduce protection. You speed it up by asking it to do less. > Viruses are a problem, so we must keep very sensitive > detection, but the loss of performance is unacceptable. Why not test a few other products? - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Mon, 06 May 1996 14:56:10 +0000 (GMT) From: Zvi Netiv Subject: Re: Remover for Manzon virus (PC) X-Digest: Volume 9 : Issue 65 Iolo Davidson wrote: > In article <0038.01I4BWNT3JS4SKVUM0@csc.canterbury.ac.nz> > ad792@FreeNet.Carleton.CA "Eric Blace" writes: > > If F-Prot cannot handle the problem, can anyone recommend a > > product that will handle Manzon. > > I don't know if the latest F-Prot will remove this virus or not, > but the latest Dr. Solomon's will. You can get an evaluation > copy of the scanner/remover part of Dr. Solomon's Toolkit > (FindVirus) from: F-Prot version 2.20 removes Manzon alright, at least it did when I checked it recently on that virus. Yet user should be aware that there exists the possibility that a disinfector may confuse variants of the same virus, or worse, simply have a faulty disinfection routine for particular viruses. Therefore, always try a disinfector on infected samples and CHECK that the disinfected files are clean and FUNCTIONAL. Do NOT take the "virus removed" statement of a scanner-disinfector for granted as it has no means to verify its doing. This capability belongs to generic restoration, not to scanners. Not long ago, I've been scrambled to help the nearby university in disinfecting their servers from Manzon. Unfortunately, they downloaded Dr. Solomon's Toolkit from the web and after cleaning one of their servers they were concerned since NOT A SINGLE EXE FILE WAS FUNCTIONING ANYMORE. I need to add here that Manzon is a fast infector, and all executables on their servers were actually infected through piggybacking when scanning them with various antivirus they had (they didn't have InVircible then, it would had detected piggybacking immediately). Infecting files with Manzon and disinfecting them with DSAVTK confirmed that FindViru ruined every EXE file that it claimed having disinfected. Since FINDVIRU disinfected the COM files alright, then the fault should be in the Manzon dinfection routine, rather than caused by the misidentification of the virus variant (Manzon has two variants). S&S admitted the existence of the FINDVIRU bug. Therefore, check that the cure isn't worse than the disease before you commit your files to scanner disinfection! The forecast isn't encouraging since the number of bugs increases exponentialy in function of the number of viruses that the scanner handles. Qualifying and testing scanner updates is also becoming a serious problem, as proves the case above. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 06 May 1996 14:55:03 +0000 (GMT) From: Zvi Netiv Subject: Re: Concept Virus and sick laptop? (PC) X-Digest: Volume 9 : Issue 65 Iolo Davidson wrote: >> The Concept macro isn't worth all the hassle and nonsense connected with >> its detection and cleaning. All that you need to detect and remove >> Concept, if it bothers you at all, is Word itself and a few keystrokes. >> >> Regards, Zvi >> NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk > > Do I understand from the above that Invircible can't detect or > remove Word Macro viruses, and your users are therefore required > to go through "all the hassle and nonsense" required to learn how > do it by hand? InVircible handles Concept alright. The following is an excerpt from IV's online documentation. It is brought here for the benefit of the readers and yourself. - -- excerpt from InVircible's on-line manual There is more hype than substance in the Winword macro virus issue. Macro viruses are a negligible threat compared to the dumbest common and most prevalent boot infectors. They are easy to remove, just with Word itself and using your common sense. To this date only the Concept macro became common. The reason Concept passes unnoticed is because it actually does nothing, except saving a copy of itself to Word documents. You may have read in the papers or heard horror stories about potentially "destructive" macro viruses. Be at rest, none of them actually made it in the wild and stands no chance to make it in the future. By its very nature, a conspicuously disruptive or destructive program will not propagate effectively as it gives itself away, or just commits suicide before going anywhere. An occasional check by just opening the Word 'Tools / Macro' menu will show you if the Concept macro succeeded installing itself to the NORMAL.DOT template. Concept consists of five macros, with the following names: AAAZAO, AAAZFS, AutoOpen, FileSaveAs and PayLoad. The latter doesn't contain a real payload, if you open it with the Word macro editor, then you'll see an empty threat saying "That's enough to prove my point". Delete the five macros with the above names and save the document in its clean state. The NORMAL template is cleaned by either saving the 'NORMAL' style (open the File / Templates menu and tick the "automatically update style" box), or by loading NORMAL.DOT as a Word document, deleting the macros and then closing it after having saved the template clean. The template should be cleaned last, after all affected documents were cleaned. To remove the Concept macro, first screen your files with IVX to find which ones are affected. Next, clean the affected documents with Word as explained above. And last, don't forget to clean the 'normal' template. The IVX correlator will search and find all Word files that are affected by Concept. Start IVX and select Concept macro from the menu. IVX will prompt whether to scan all files or just those having a DOC or DOT extension name (the default). The default selection is faster and is recommended where you need to process many files. Use the default only on condition that documents are created with Word default extension names, i.e. DOC. Otherwise, scan all files. It could be worth installing the Microsoft ScanProt protection to the global macro template. With ScanProt installed, Word will warn if the document you are about to open contains an autoexecuting macro and prompt if to let the macro to execute. ScanProt is available from Microsoft's Web site, SimTel, the CIAC Web site, CIS and InVircible's forum on Compuserve. To install ScanProt, open the SCANPROT.DOT template as you would open a Word document. The installation runs automatically. > Concept doesn't have much of a payload, but there are Macro > viruses that damage or delete data, and there will be lots more > Macro viruses. Any anti-virus that ignores them is not serving > its customers. Our opinions differ largely here as your doom prophecies are not likely to materialize. It's their like that isn't serving computer users and the community at large. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 06 May 1996 10:42:51 -0600 From: "College Frosh Dude (James Eric Brewster)" Subject: Re: Possible Virus? DeskJet 500C prints happy faces (PC) X-Digest: Volume 9 : Issue 65 On 4 May 1996, DarStec wrote: > In article <0053.01I3BNBEFQEYSH3CBI@csc.canterbury.ac.nz>, Cary Chien > writes: > > >I've got a 486 computer with a HP Deskjet 500C, and it's been giving be > >problems lately. When I try to print anything, the printer takes up a > >sheet of paper, prints out one line of tiny happy faces, then form feeds > >to another page and does the same thing again. Could there be something > >wrong with the printer? I thought it would be unlikely (because of the > >nice string of happy faces). I've tried a shareware virus program ( > >F-Prot, dated March 96). Has anyone heard of a virus like this? Your > >reply would be much appreciated. > > You did not state what kind of operating system you are running, or if you > changed/added any software. My first guess would be that your printer > driver is either corrupted or has been replaced by another driver. > Assuming that you are running some version of DOS and most likely a > version of Windows, did you try to print something in DOS. > > If DOS prints ok and Windows doesn't then look toward re-installing your > printer driver software. You might try exiting windows and then re-entering windows and seeing if that works. If not, the best move may be to re-install the software. I have some "free" communications software that I got from my univeristy, and it seems to like corrupting the print software namely the hpvwin.dll file. So, I keep the installation disks handy just in case my NMSU-net software decides to screw up something. Eric ------------------------------ Date: Mon, 06 May 1996 19:23 +0000 From: Graham Cluley Subject: Re: Jumper (was Re: NYB Virus) (PC) X-Digest: Volume 9 : Issue 65 In-Reply-To: <01I4CWUWWHQGSKVUM0@csc.canterbury.ac.nz> Rod Murad writes: > Has anyone dealt with the Jumper B virus before? I had both the > NYB and Jumper B on my pc. I've removed them but can't find any > info on what the Jumper B does and how it's transmitted. Here's some information on Jumper from Dr Solomon's: Jumper Aliases: Sillybop, French Boot, Neuville, 2KB Description: Sillybop infects the boot sector of floppy disks and the partition sector of hard disks. If the PC is booted from an infected floppy disk, the virus goes memory resident and infects the partition sector of the hard disk. The virus infects any floppy disk which is accessed. The virus copies the original partition sector to Cylinder 0, Head 0, Sector 14. On floppy disks, the original boot sector is copied to one of the root directory sectors. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Mon, 06 May 1996 15:08:40 -0400 From: support@vse.ac-copy.com Subject: Re: Partition virus which slows/kills floppy drive? (PC) X-Digest: Volume 9 : Issue 65 On: Thu, 02 May 1996 15:04:40 +0000 (GMT) Steve Roberts wrote: Subject: Partition virus which slows/kills floppy drive? (PC) [Snip happens] >Any suggestions gratefully received! You did try to clean the floppy drive, did you? If this is an older machine ypu should check whether in Setup the DMA clock is correct (i.e. BCLK/2 or 4 MHz). Overclocking this gives excactly the symptoms you describe. Ciao, Guido - ----------------------------- - voerste edv beratung, Theaterstr.22, 52062 Aachen, Germany fon (++49) (0)241 404 888 | fax (++49) (0)241 404 876 ------------------------------ Date: Mon, 06 May 1996 19:41:46 +0000 (GMT) From: "E. Beck" Subject: Re: NAV and F-PROT problems with NYB (PC) X-Digest: Volume 9 : Issue 65 In article <0009.01I4CWUWWHQGSKVUM0@csc.canterbury.ac.nz>, CICSTAFF CICSTAFF says: > the boot sector is infected >with the NYB virus, when it goes in to disinfect, it goes into a F-Prot did a good job of disinfecting NYB when I was infected. You might also try the McAfee shareware, it removed it also was able to remove it from my system. Good luck ------------------------------ Date: Mon, 06 May 1996 20:23:32 +0000 (GMT) From: Iolo Davidson Subject: Help, files increased by 98 bytes (PC) X-Digest: Volume 9 : Issue 65 In article <0031.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > IVB checks BIN files by default and you need to exclude those you > don't want to be checked. PGP users need to exclude RANDSEED.BIN > for the same reason. It's explained in the IV documentation. There have recently been several calls for help about this in alt.security.pgp, in relation to another AV program which gives users "you tell me" alarms like this. Users are not usually equipped with the expertise to decide whether particular file alterations or other "virus like activity" reports are in fact due to a virus or not, and AV programs that force this decision on them are conceptually flawed. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Mon, 06 May 1996 20:17:00 +0000 (GMT) From: Iolo Davidson Subject: Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) X-Digest: Volume 9 : Issue 65 In article <0025.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> maxwells@kiva.net "Chris Clayton" writes: > Is it possible for a computer with the NYB, Form, or Stoned virus > to have it's hard drive physically damaged. A hard disk can give up the ghost at any time. Having a virus won't prevent it. If you are asking if a virus can *cause* physical damage, then no, there is no virus that can do that. > I had a computer that had one, if not > all, of the above viruses and it had a damaged hard drive. Don't think it did, from your description. > Norton Disk Doctor couldn't even get beyond "directory > structure" (after removing viruses) without locking up with > an error -- "Could not access drive C:". This just means the disk was missing certain information needed by DOS. Probably a corrupted partition table. Not damaged at all, and an expert could probably even recover the data, provided you haven't made things worse by playing with Disk Doctor. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Mon, 06 May 1996 18:57:04 +0000 (GMT) From: Iolo Davidson Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC) X-Digest: Volume 9 : Issue 65 In article <0034.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> bpb@umich.edu "Bruce P. Burrell" writes: > > And when/if it does get turned off, that is in itself an > > indication that you are no longer in the hands of a "user". This > > only happens in practice when being run by at least an > > experimentalist. You never get a complaint from a user about > > this. It won't happen to him. > > I'm certainly willing to defer about whether this is the case right > now, but it doesn't strike me as an altogether unlikely possibility for > the future. A BSI or two, a file infector, and a bunch of different Word > Macro viruses. I'll leave [snip]'s cherished Cornucopia out the argument. If the real world ever gets so dirty that ordinary users harbour more than ten viruses at a time, then the number required to drop the precise identification can easily be bumped up to twenty or whatever. > > Experimenters and performance testers are a different deal, and > > in their case, the designers have apparently taken the view that > > precise identification is secondary to to the scanning speed > > issue. There is a switch for the clued up ones to force precise > > identification if they want it. The clueless ones are just the > > people who will make the mistake of doing their speed tests on a > > virus collection, so I think the designers made the right > > decision. > > Is it your position that you should make a product look as bad as > possible to the clueless reviewer? That's not a loaded question; I can > see that perhaps it might help to discredit future work by that > individual. Nonetheless, I would think it a better strategy both to be, > and to appear to be, better than the competition, regardless of the > competence of the reviewing party. Missed the point. The trade off is precise identification against speed. Clueless reviewers may or may not notice the precision (probably not, since other products being compared won't have it, and the reported virus names won't match between many products anyway), but the difference in speed if precise identification is left on will be noticed. It's a judgement call, and the designers have made the right choice in my view. > > You can never get the wording "right" for everyone. The wording > > is however correct. If people look in the manual, the issues are > > explained. You could have the program print whole pages from > > the manual for every virus reported and it still wouldn't be > > "right" because people wouldn't read it or would be confused by > > it. They don't even read the four word reports that *are* > > printed. > > Apparently someone somewhere read the report; that's why the complaint > was lodged in the first place. Not by a user, but by someone scanning a collection. This feature does not affect users at all. > > You don't think that any software company lets programmers decide > > this stuff do you? > > For companies that value excellence? Sure do, though perhaps not ones > on the scale of S&S. Still, I bet the prestige of some of the programmers > there might able to get such a change designated Priority One (not that > this particular issue deserves it). [Hmm. Maybe not 'decide', but > certainly 'influence'.] I have actually worked in the company concerned, and can assure you that it is not a straightforward as you believe. Even Dr. Solomon couldn't always get what he wanted done. What happens in a big company is that you get fifteen people with the power to say "stop" and no one with the power to say "go with it". > > What happens about the printed manuals? > > Easy; a README.1ST file could take care of the manual until its next > reprint. This is not exactly an industry innovation. Another thing that people don't read. I've been through this manual writing stuff, you know. I think my name is still in the cast list of the current Toolkit manual, though I haven't worked on it for years. At one time, the manual was loose-leaf, with extra pages sent out with the updates. That doesn't work very well either, unless you actually replace existing pages with new ones (and that only works if customers actually do the page changes). Addenda don't get read. Yes, it is *easy* to add a readme file, but it isn't effective. > > What happens about the scripts that people run to analyse logs? The > > tiniest change in any of the report wording brings existing customers, > > especially the corporate support personnel, down on you like an air > > strike. > > You can't have it both ways. Since this never happens to "real users", > no user will have a script that needs to be changed. Or it *does* happen, > on a corporate server, perhaps, in which case your claim that the message > never occurs to "real users" is invalid. Which one will you have us > believe? Explain that to the people who make such decisions. I hold that real users won't come across this feature. The decision makers would answer that it doesn't need changing then. There are other undocumented features used in house for testing and other purposes, you know. There is a really convenient feature in VirusGuard which can be used when testing which S&S tell NO ONE about, even when asked for it specifically. > > Report wording is one of the *hardest* things to get changed. > > All the more reason to get it right the first time. But when it > isn't, fix it as soon as possible, assuming you believe that it merits > improvement. Two things there. I say it doesn't need changing, and it seems S&S don't think it needs it either. But that is beside the other point you were making about how any programmer could insert the wording of *your* choice in seconds. That isn't so, for the simple reason that programmers are not allowed to make that kind of design decision. They are allowed to file "change request" forms. > It's details like this that make the good documentation > very good, and the very good, excellent. Shouldn't the > quality of the documentation match that of the software? Features effecting only testers and experimenters need not be documented at all. Look at the fuss the discovery of this very unimportant feature has raised in here. Another one we see a lot is the "boot sector viruses in image files" thing, when someone claims that Dr. Solomon's cannot detect common boot sector viruses because they are testing a collection of image files. Why would that issue, or the /!doboots switch, be documented in the distribution manual? It isn't a secret, and S&S do give the info out to testers, but putting it in the user distibution would just cause trouble. > In either case, it's a loss for S&S. Not in the judgement of S&S, apparently. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Mon, 06 May 1996 19:58:49 +0000 (GMT) From: Iolo Davidson Subject: Re: Master Boot infections on Compaq / IBM systems (PC) X-Digest: Volume 9 : Issue 65 In article <0018.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> mitchgas@iaccess.za "mitch dove" writes: > Consider this then ! What do you do in the case of EXEBUG, this > infection will alter the CMOS information to a point that the system > is no longer aware that it has a A: drive. Now how do I re-Boot the > system clean as I cannot run the Diagnostic program contained on the > diskette to repair the altered CMOS Data. Peter Morley described how you clean such a system (PS/2 55SX) in the July 1993 "Virus News International". Disconnect the hard drive cable, boot the system from "the reference disk" floppy, and allow automatic configuration to take place. Then reconnect the hard disk and boot again from the reference disk. With other computers with their CMOS setup on a disk, you could disconnect the CMOS battery and wait for the erroneous information planted by EXEBUG to dissipate, but in the model above the battery is integral to the CMOS chip. Most computers have the CMOS setup in the BIOS at startup, so you can just tell the computer it *does* have an A: drive before it gets to the disk reading part of the boot up sequence. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Tue, 07 May 1996 10:52:30 +0000 (GMT) From: dkstewart Subject: Re: TBAV: Possibly infected by an unknown virus (PC) X-Digest: Volume 9 : Issue 65 In article <0015.01I4CWUWWHQGSKVUM0@csc.canterbury.ac.nz>, a228poon@cdf.toronto.edu says... >In my recent use of TBScan 7.01, when scanning a file named com2exe.exe >(found in compack 4.5 package), it says it's possibly infected by an >unknown virus, regardless of heuristics settings. However after unpacked >it with UNP it didn't happen anymore. > >It seems that TBAV need some work on unpacking crypted/compressed >executables (especially crypted ones, which generates a lot of false >positives). > >BTW the com2exe.exe is compressed by, as expected, compack 4.5 >compressor. The false positive was because of the heuristic abilities of TBAV. TBAV made an error on the safe side flagging the file a a possible virus..... Would you rather TBAV made the error on the other side and missed a possible virus? ;-) ThunderBYTE is working to make ThunderBYTE as accurate as possible to detect known and unknown virus's and will on ocassion flag a file as a possible virus. Did this error cause you any great problems or damage? Duncan dkstewart@csra.net ------------------------------ Date: Mon, 06 May 1996 21:47:02 +0000 (GMT) From: John Elsbury Subject: Re: Concept Virus and sick laptop? (PC) X-Digest: Volume 9 : Issue 65 Iolo Davidson wrote: >In article <0033.01I4BWNT3JS4SKVUM0@csc.canterbury.ac.nz> > netz@actcom.co.il "Zvi Netiv" writes: >> The Concept macro isn't worth all the hassle and nonsense connected with >> its detection and cleaning. All that you need to detect and remove >> Concept, if it bothers you at all, is Word itself and a few keystrokes. >> > >Do I understand from the above that Invircible can't detect or >remove Word Macro viruses, and your users are therefore required >to go through "all the hassle and nonsense" required to learn how >do it by hand? > >Concept doesn't have much of a payload, My understanding is that Invircible is primarily a checksumming program designed to detect virus activity, and is not updated at the frequency typically required to detect new virus signatures. I am pretty sure that Invircible _could_ be used to check for changed documents, but as a typical user might change many documents in a day, you would probably have more false alarms than real macro viruses. Zvi may wish to confirm this. John Elsbury ------------------------------ Date: Mon, 06 May 1996 23:05:27 +0000 (GMT) From: Ken Stieers Subject: Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) X-Digest: Volume 9 : Issue 65 Chris, NONE of these viruses damage the hard drive physically, in fact I'm fairly confident in saying that NO KNOWN virus damages CURRENT hardware within the last 2 years or so. (this also means the old wheeze about blowing up old monitors with new video cards set to high refresh rates. Old monitors aren't current.) Chances are that NDD trashed the MBR and or boot sector since the only thing it had to go on that wasn't virus affected would be CMOS. NDD checks the CMOS, partition table and boot sector of the first partition and they all have to match, though each holds slightly different info. None of yours matched so NDD choked on it. Get someone who knows how to deal with low level dos structures to rebuild the MBR and BPB (boot sector) and you'll be fine. Heck, Norton's over the phone data recovery might be able to do it for you (about $100/hr, I think). Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prairie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Mon, 06 May 1996 23:27:17 +0000 (GMT) From: 'Mike' M Ramey Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC) X-Digest: Volume 9 : Issue 65 Iolo Davidson: As you can see from the message below, I tried to send my comments on this topic to you and others directly, via email. But neither of the email addresses that I found for you (in the alt.comp.virus and comp.virus newsgroups) seems to work. In fact the messages I get back from mist.demon.co.uk are rather rude. I don't know whether there is an error of some sort, or whether you are deliberately blocking email from me or from everyone who uses these two addresses. It seems not very friendly to post to these newsgroups, and make yourself unavailable for email. Since you are apparently not reachable via email, I will post my comments to the newsgroups. --Mike Ramey Whilst talking to mist.demon.co.uk: MAIL FROM: 503 Local policy blocks mail from RCPT TO: Whilst talking to mist.demon.co.uk: MAIL FROM: 503 Local policy blocks mail from RCPT TO: - ----- Original Message Follows ------ Date: Sun, 5 May 1996 12:16:45 -0700 (PDT) From: 'Mike' M Ramey To: S&S Graham Cluley {Dr Solomon} Cc: Bruce Burrell , Iolo Davidson , "S. Widlake" Subject: FindVirus messages: TELL THE [WHOLE] TRUTH (DAMMIT)! Graham -- Please do *not* follow the suggestions made below that "the [normal, real, legitimate, illiterate, ...] user does not *need* to know what's *really* going on; only the [anti-virus reviewers, virus writers, hackers, clueless testers, ...] will ever see this message anyway (and we certainly don't want *them* to know what the program does)!" I find this line of reasoning presumptuous and offensive; the writers assume they "know what is best for the user" and the truth is not part of it. If one user encounters this shift from 'thorough' to 'quick' mode, andif they are not told what is going on, and why, and how to prevent it, and what the implications are, ... then they have a right to cry "FOUL!". And it makes the authors of the product (S&S) look devious -- certainly less than totally honest and forthcoming. This is *NOT* the reputation you want for S&S. In dealing with viruses, there is already enough 'stealthy' behaviour going on; I do not want 'stealthy' behaviour from the maker of my anti-virus product. As you know, I have already discovered enough 'anomalies' in the FindVirus message output to drive a saint to mayhem; you cannot predict what situations a [legitimate!] user will encounter. TELL THE [WHOLE] TRUTH; don't let the user catch you in a lie - - even a lie of omission !!! Any questions? --Mike Ramey - - -Mike Ramey 685-0940 FAX:685-3836 Wilcox-171 Box:35-2700 UofW 98195 ------------------------------ Date: Tue, 07 May 1996 00:49:41 +0000 (GMT) From: Shane Coursen Subject: Re: NAV and F-PROT problems with NYB (PC) X-Digest: Volume 9 : Issue 65 In article <0009.01I4CWUWWHQGSKVUM0@csc.canterbury.ac.nz>, cicaid1@newschool.edu says... >I have been getting my ass kicked by a group of viruses, here at my >center. I have the latest Norton, but it doesn't pick up anything. When >I use F-prot of a floppy, it tells me that the boot sector is infected >with the NYB virus, NYB is a common virus. Both products should detect/repair NYB without a problem. >when it goes in to disinfect, it goes into a loop....and finally >just says "Virus can not be removed-Original MBR was not found". > >When I run Fdisk /MBR, and re-run F-prot the same thing happens. Possibilities that I can think of off hand... 1) FDISK /MBR is being run while the virus is in memory. (You rewrite the MBR w/this command, but since the virus is active in memory, your attempts are for naught.) Try booting from a known clean disk first. 2) Same reason for NAV and F-Prot's failure to repair...still in memory. Again, boot from a known clean disk. 3) Original MBR information (in the location that NYB saed it) has been overwritten. This could cause AV programs to refuse to repair. 3) Double infection: I believe NYB has an "Am I here" check, so this is an unlikely reason for the problem. >F-prot also fails to didinfect the concept virus in Word 6, it >reports it, but it doesn't give u any options to clean or >disinfect. Any suggestions. Which version of F-Prot? As long as we're at it, which version of NAV are you using? - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Associate Software Engineer Symantec AntiVirus Research Center ------------------------------ Date: Tue, 07 May 1996 03:52:08 +0000 (GMT) From: Patty-anne Lea Subject: Re: Anti-CMOS A (PC) X-Digest: Volume 9 : Issue 65 In article <0030.01I4BWNT3JS4SKVUM0@csc.canterbury.ac.nz>, KVacek wrote: >Last night we discovered that a friend's WIN-95 Pentium had a virus, >identified by WIN 95's "Performance" section of Control Panel:System, >which said the boot sector had been modified. I installed an older >version of NAV (all we had available last night), which identified it as >Anti-CMOS A virus, and claimed to remove it. Later checking confirmed >that the virus was still there [snip] We went throught a similar episode with a freinds machine. We found that it resided in the BIOs, so we made a copy of the cmos settings, pulled the battery, then assemble the thing. And found it still there. Apparentley there is a capaciter that will remain hot for about three hours. So the battery should be out for a time ie overnight. There is some interesting info on http://www.symantic.com about lots of virus and ways to remove them. Good luck patty-anne [Moderator's note: None of the AntiCMOS family, -nor- any other viruses, "reside" in a PC's CMOS or BIOS. I'll leave it to others who know this particular virus better to dispell the rest of myths here. BTW, the correct URL is http://www.symantec.com.] ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 65] *****************************************