VIRUS-L Digest Thursday, 9 May 1996 Volume 9 : Issue 66 Today's Topics: Re: Concept virus observation Re: Internet Anti-virus Software Comparison Report?? Re: EliaShin (sp?) antivirus software Re: McAfee No Longer NCSA Certified? - THEY SHOULDN'T BE! Re: help- possible virus that causes auto reboot Virus Master Listing Computer Virus History Re: Flash Bios Virus anyone? Re: Is virus writing illegal? Re: Flash Bios Virus anyone? If you really are AV. Re: Flash Bios Virus anyone? Viruses in May and June. Re: Flash Bios Virus anyone? Re: If you really are AV. B1 on novell 2.2 server (NW) NLM - Anti-Virus (NW) Gneb virus? (PC) Thunderbyte and zip or compressed files (PC) Virus in BIOS (PC) Re: Concept Virus and sick laptop? (PC) Re: Identification (not detection): Dr Solomons vs F-Prot (PC) Re: Remover for Manzon virus (PC) Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) Re: Anti-CMOS A (PC) TBAV: Possibly infected by an unknown virus (PC) Need MBR reader (PC) Re: Partition virus which slows/kills floppy drive? (PC) InVircible (PC) Re: Master Boot infections on Compaq / IBM systems (PC) Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Tue, 07 May 1996 13:45:06 +0000 From: Szappanos Gabor Subject: Re: Concept virus observation X-Digest: Volume 9 : Issue 66 On Thu, 02 May 1996 "R. Zalk" wrote: Subject: Concept Virus Observation. >Several of my clients got the 'concept' virus. This was discovered and >removed by the latest version of McAfee [great program]. There still >was system crashing, as there was before the virus was revealed. Then >I used VDOC, a free AV prog. by Eliashim. This showed that the virus >still existed and proceeded to remove it [no, I don't wn stock in Mcaffe >or Eliashim]. Now the sytem crashing level has returned to normal. > >#1. Does VDOC work better? >#2. Did VDOC just remove remnents of the 'concept' virus that McAfee >left behind? Yes. You were probably using version 2.3.0 of the McAfee product. This version does not remove the macro bodies themselves, just deletes the information about the presence of the macros. The virus is phisically present in the document, but inoperative. VDOC probably uses a scan string from the macro body, that's why detects a virus. You should rather use McAfee version 2.2.11 which is better at macro virus removal (clears the macro body area) and won't cause false alarms. >#3. Is there a different strain of this virus here that VDOC is prepared >to handle an McAfee not? {This is my opinion] Not likely. SCAN recognizes more macros viruses than VDOC. Szapi ------------------------------ Date: Tue, 07 May 1996 14:44:37 +0000 (GMT) From: Bruce Burrell Subject: Re: Internet Anti-virus Software Comparison Report?? X-Digest: Volume 9 : Issue 66 ConnieTX (maestra@sprynet.com) wrote: > Andre Xavier wrote: > > > I'm trying to setup a internet and Intranet for my company and we are in > > the stage of searching a right Internet Anti-Virus solution for our > > network(You don't what will happen next to your network right!!?). > > > > Please... Anyone came across any comparison/report on internet Anti-virus > > software or solution. I'll be very greatful if you can let me know!! > > When you check out the programs at http://www.tucows.com there is a > rating for the programs they have. Good luck Of course, one should realize that those ratings are merely the opinions of the site maintainer who, as far as I know, is not an antivirus expert. Considering that the recommendation for one product has the text "Description: By far the best Anti-Virus anti protection system on the 'net! This version stops the dreaded BOZA Virus", I think we can be pretty sure he *isn't* an AV expert. -BPB ------------------------------ Date: Tue, 07 May 1996 12:15:03 -0400 From: a000 Subject: Re: EliaShin (sp?) antivirus software X-Digest: Volume 9 : Issue 66 JT Barbera (us001911@interramp.com) wrote: : Actually it is EliaShim (US offices in Florida) or : on the net. Certified long before FProt - rather : Command Systems was born from - I believe - old : XTree personnel. This statement is inaccurate. Sorry, I responded to this privately, and meant to do it publicly. I think we should clarify this 'certified before F-PROT', as the EliaShim product is not shown on the NCSA Web Site to have certified "long before F-PROT" was born. [You can check the dates of when each product certified. If you check the F-PROT Professional dates, you will see what I mean]. If it [Eliashim] has certified since the new (i.e. good) criteria were introduced, then this should be noted on the web page. It is not. However, before, after, or at the same time is not the issue unless you are concerned with threat tracking and threat assessment. In that case, the initial dates of certification would seem to be of somewhat more importance. [Also, I don't think Command Software was born from old XTree personnel.] Re: Certification The NCSA criteria for DOS product certification, which is presented for public scrutiny on their web site, is very stringent now. It is not the NCSA Certification of the past. Thank Goodness Some people may be familiar with a paper/presentation Dr. Richard Ford (yes, he is now my husband) and I did on product certification. We did this paper at an NCSA Conference. We sort of tore apart magazine reviews, ncsa and v-sum reviews, specialist publication reviews, academic reviews and testing in general, with the hope of facilitating some discussion on how to build good tests and reviews. Some good actually came from this, and combined with input from vendors, and the ITSEC model, Richard went to work building the DOS certification scheme, at NCSA. A number of vendors dedicated tech reps to help with the process and we ended up with a good strong *starting point* for product certification. It surprised some people that the vendors as a whole would support this new scheme, as it was very difficult to pass. However, this only proved that the vendors -want- a meaningful criteria and certification. This is the certification that is on the web site of NCSA, and it is the certification which I suggested the person considering products should be familiar with. The new criteria requires detection of 100 percent of a certain subset of viruses, that subset being the viruses noted on Joe Wells In the Wild Virus list, with a backdate of 2 months. Additionally, there is a 90 percent zoo detection requirement. I feel personally this is a concession to ill-informed users, but as of yet this is still part of the criteria. The viruses are now replicated, [i.e. the wild viruses], and no vendor has a copy of the viruses tested against. The old tests used non-viruses, text files, and no documented criteria or methodology. This is not the case with the new criteria as you can see. Many of the products which once were capable to certify under the old scheme cannot meet the criteria for the new scheme. The old certifications lapsed some time back, and only products which meet the new, stringent, documented criteria are listed now. The url is http://www.ncsa.com/avpdcert.html Sarah Gordon Command Software Systems - - i work for Command Software Systems. we are the F-PROT Professional people. these are my own thoughts. they are not representative of my Employer, my University, my Government or my Husband. Maybe they should be. But they aren't! if they are, i'll mention it clearly. else assume i speak for myself!!!!!!!!!! ------------------------------ Date: Tue, 07 May 1996 08:04:11 +0100 From: "B.MacDonald" Subject: Re: McAfee No Longer NCSA Certified? - THEY SHOULDN'T BE! X-Digest: Volume 9 : Issue 66 In article <0004.01I4B9A4IGEASKVUM0@csc.canterbury.ac.nz>, Harry writes >BASED ON MCAFEE'S lack of response to email pleas for clarification >and technical help - I'd say any information or disinformation for >that matter, which helps your competition and takes from McAfee Sales >IS WELL DESERVED. > >I sent Email (4/16/96) asking a very simple question both via >compuserve and email AND fax and STILL HAVE NOT gotten any resonse >other than a BOT reply which sent me EXACT TEXT from the readme file >(I already read!) AND DIDN'T EVEN ADDRESS MY TOPIC!! I'm using Dr Solomon's AVTK and have had several occaisions to call their folks at Aylesbury. They have been very prompt (straight through - no waiting in a hold queue) friendly and competent. In fact of all the technical assistance lines I've ever called, I'd rate Dr S at the top (at least here in the UK). I'm very pleased with their product as well. They're not cheap ...but you get what you pay for. You may wish to address your question to the comp.virus group. It's a moderated group which tends to deal with virus biology, but user problems have been discussed and solved in that forum. The top people in the world in anti-virus participate, including members of the CERT and Dr Alan Solmon himself (on occaision). Don't be surprised if you don't get news everyday. As a moderated group, it depends on how busy the moderator is (and he's very busy at the moment, but still finds time to post traffic). - - B.MacDonald, Northwood, Middlesex, UK E-mail burns@nthwd.demon.co.uk or burns@dircon.co.uk ------------------------------ Date: Tue, 07 May 1996 15:27:17 -0400 From: Andrea Brenton Subject: Re: help- possible virus that causes auto reboot X-Digest: Volume 9 : Issue 66 : In article <0009.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz>, "Chengi J. Kuo" : >ebbtide@cris.com writes: : > : >>I am having a problem that I think might be a virus. Without even : >>touching my computer, not even running a program, the computer re-boots : >>itself. Sometimes I can be in the middle of running a program and it : >>happens. There doesn't seem to be any rhyme or reason, it just reboots. : >> : >>Has anyone had the problem? Are there any ways to correct it? I had a system problem that cuased the PC to reboot itself. It turned out to be the cache was bad. Try going into the CMOS and disabling the cache. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "There are two major products to come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." Andrea Brenton abrenton@hurwitz.com ------------------------------ Date: 7 May 96 15:48:45 From: Glenn Roberts Subject: Virus Master Listing X-Digest: Volume 9 : Issue 66 Hello, I am calling from Nynex in Mass. Do you have any idea where I can get a list of all viruses that are out there (with) short descriptions or what type of virus it it. All the ones I have seen you have to click on "a" then to that specific virus, and then finally to the "description", this would take anyone a week to get all of them, e-mail me back I you know, I could really use the help. Thanks, Glen E. Roberts E-MAIL ADDRESS ====> GROBERTS@BIGYELLOW.COM ------------------------------ Date: Tue, 07 May 1996 21:42:05 -0700 From: Nicholas Diemont Subject: Computer Virus History X-Digest: Volume 9 : Issue 66 Can any one help me ? I'm looking for infomation on comp. virus history. Thanx [Moderator's note: Some of the historical aspects are well-covered in the some of the reference material listed in the FAQ: ftp://cs.ucr.edu/pub/virus-l/vlfaq200.txt] ------------------------------ Date: Tue, 07 May 1996 20:33:02 -0400 From: JMCarlini Subject: Re: Flash Bios Virus anyone? X-Digest: Volume 9 : Issue 66 In article <0001.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz>, Fridrik Skulason writes: >There is an interesting twist on this subject. On most well-designed >motherboards you can change a DIP switch to write-protect the FLASH >memory.....which gives yoou 100% protection from those viruses. > >Unfortunately that means that the machine becomes non-"Plug-and-Play" >compatible, so therefore all motherboard manufacturers ship their boards >with FLASH write enabled...making the machines easy targets. Not completely true. My FLASH bios is write-protected, and "Plug-and-Play" still works just fine for me. And mine came write-protected, tho I have an older machine (3 years) so that may have something to do with it. I have a PHOENIX bios, if that makes any difference. - jmc (_) (_) God Forbid that I should go to any heaven in which there are no horses. - R. B. Cunninghame Graham ------------------------------ Date: Tue, 07 May 1996 19:21:33 -0400 From: James Coulter Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 66 Joseph M. Spreng wrote: > > If it's not it should be! Thanks for comming out Joseph! > It's one thing to catch a dose from somewhere it's another to write the > code and dilibrately distrabute it with for knowledge of what it is an > what it may do. > > Proof is another matter. > > The best prevention is to load the Boot Sector Virus protection in the > CMOS of your system and load a good memory resident Anti-Virus program, > such as F-Prot's VirStop.exe. I merely think, being an amateur virus author, that SANE authors write viruses for the shear experience of writing a complex program, which some refer to as ARTIFICIAL LIFEFORMS. The feeling of accomplishement that you get from writing such complex things is common to every author out there. The fact is though, some authors are missing a few marbles and include destructive code. Viruses like this, should have the author prosecuted even if he hasn't distributed it. What's the harm in a simple replicator? Absolutely nothing! Appending viruses do not corrupt your files. My point is, virus writing is a form of programming. It should not be illegal even if a NON-DESTRUCTIVE virus is released. Those authors of DESTRUCTIVE viruses, however, should be prosecuted as they have done harm to your private property. James PS: To date, not a single one of my viruses has had destructive code or even been released into the "wild". I think of them as trophies of accomplishement. ------------------------------ Date: Tue, 07 May 1996 19:31:21 -0400 From: James Coulter Subject: Re: Flash Bios Virus anyone? X-Digest: Volume 9 : Issue 66 NIS Service Dept. wrote: > Micron Computers is spreading a rumor that there is a beast known as a > Flash Bios Virus that is hosing up computers the world around. I know > nothing more than this - I was hoping someone else had a little more > info... I know one thing, it is not a hoax. I have come across methods of loading viruses into the flash bios. I know that they are relatively new techniques and could cause a lot of damage to your bios. The fact is, viral methods and techniques are accesible by virtually anyone today. Although I have not seen any virus use this method yet, it is certainly likely that, because of the accessibility of methods, there are two or three strains out there. James ------------------------------ Date: Wed, 08 May 1996 01:20:35 +0000 (GMT) From: Alchemist Subject: If you really are AV. X-Digest: Volume 9 : Issue 66 If everyone here is really interested in AV. Someone should start a list of viruses, what they do and methods of detection. This would be harmless to put into "the wrong hands" while useful in the right hands. But I assume that all the AVers here are in it "just for the money" and don't really care about saving the planet from infection. If anyone is interested in this document then eMail me, or post here. I hope this can be a technical document aimed towards programmers of AV software. I know sharing trade secrets is not a good idea, but if AVers can share some of the universal secrets that would be very helpful. I am not talking about fancy stuff, just simple code-scanning and identification. - - --Alchmemist (jmayo@mail.alliance.net) ------------------------------ Date: Wed, 08 May 1996 00:22:28 -0500 From: Vapor Subject: Re: Flash Bios Virus anyone? X-Digest: Volume 9 : Issue 66 Wayne Riddle wrote: > "NIS Service Dept." wrote: > > >Micron Computers is spreading a rumor that there is a beast known as a > >Flash Bios Virus that is hosing up computers the world around. I know > >nothing more than this - I was hoping someone else had a little more > >info... > > Probably how Micron is explaining the problems they have been having > with their systems. Especially since most Flash BIOS's I've seen need a jumper set on the motherboard to be reprogramed. Vapor. ------------------------------ Date: Wed, 08 May 1996 12:42:23 +0530 (GMT+5:30) From: "HARSHA K." Subject: Viruses in May and June. X-Digest: Volume 9 : Issue 66 We are contributing to an article on viruses in one of the leading Newspaper of India.We would like to know which are the viruses that could strike in the month of May & June.What are the latest trends in viruses and latest development in virus field. Crystal ------------------------------ Date: Thu, 9 May 1996 00:59:17 +1200 From: Nick FitzGerald Subject: Re: Flash Bios Virus anyone? X-Digest: Volume 9 : Issue 66 James Coulter wrote: > I know one thing, it is not a hoax. I have come across methods of > loading viruses into the flash bios. I know that they are relatively new > techniques and could cause a lot of damage to your bios. The fact is, > viral methods and techniques are accesible by virtually anyone today. > > Although I have not seen any virus use this method yet, it is > certainly likely that, because of the accessibility of methods, there > are two or three strains out there. This has been discussed before and the weight of argument is against you. Flash BIOS "infecting" viruses are possible but unlikely. Think of all the subtle variations at the compenent/chip-set level. Muliply that out to get the combinations. Look at the memory footprint BIOS manufacturers have to fit their code into. Look at the cost to the virus write of "getting it wrong"--almost immediate discovery because of abject machine failure at next reboot following initial infection. The cost of avoiding that is enormous code bloat to do all the low-level testing. The virus becomes enormous and therefore not likely to fit in the small-ish "holes" left in the BIOS addresss space -or- has to target a very specific and therefore -limited- range of machines/manufacturers. Need I continue?? Unlike with Word macro viruses, "proof of possibility" of Flash BIOS- infecting viruses does not translate into "likelihood". +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83From ------------------------------ Date: Thu, 9 May 1996 01:05:20 +1200 From: Nick FitzGerald Subject: Re: If you really are AV. X-Digest: Volume 9 : Issue 66 Alchemist wrote: > If everyone here is really interested in AV. Someone should start a list > of viruses, what they do and methods of detection. This would be harmless > to put into "the wrong hands" while useful in the right hands. But I Indeed--and the people with the best knowledge and collections of viruses already provide this service as part of the documentation of their products, on WWW serevrs, etc. > assume that all the AVers here are in it "just for the money" and don't > really care about saving the planet from infection. If anyone is Yep--DataFellows, Dr. Solomon's, McAfee's, Symantec, etc are raking in the bucks from all those thousands of hits per day on their WWW virus description pages.... This attitude is actually doubly insulting, because most people do not read up about avoiding virus infection before they get one, and far too many only care about finding out how to get rid of the one they have at the moment once they do get infected. Thus, to imply that supplying a good, freely available listing of all this information will reduce the spread of viruses, flies in the face of nine and a half years of experience. You may counter that I'm being cynical/patronizing/whatever, but you have to look at the economies of providing any "service", be it a "free" one or otherwise.... > interested in this document then eMail me, or post here. I hope this can > be a technical document aimed towards programmers of AV software. I know > sharing trade secrets is not a good idea, but if AVers can share some of > the universal secrets that would be very helpful. I am not talking about > fancy stuff, just simple code-scanning and identification. Good luck with this, but personally, I think that is a bad idea. One of the reasons it is a good idea to use at least two independent scanners is because they are independently developed. Some approaches to some viruses are wrong--having two products approaching the samne situation differently increases the chance that at least one of them will "get it right". Two scanners based on the sam escanning engine/approach/detection research(er) will make the same mistakes given the smae situation.... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83From ------------------------------ Date: Tue, 07 May 1996 10:00:13 -0700 From: Dorset Elementary School Subject: B1 on novell 2.2 server (NW) X-Digest: Volume 9 : Issue 66 I have a Novell 2.2 non-deticated server that boots from a floppy disk. Recently my lab got infected with the B1 virus. Somehow the boot disk for the server got infected and infected the network drives. This crased the server. The server thinks there are too many volumes(drives) on the server and comes to a screaching halt. Can I disenfect the Novell drives without loosing the data? Greg Styles Dorset Elementary School dorsetvt@sover.net ------------------------------ Date: Tue, 07 May 1996 13:06:47 -0400 From: Sotiris Baxevanis Subject: NLM - Anti-Virus (NW) X-Digest: Volume 9 : Issue 66 Hello, does anyone have any horror stories, recommendatiosn or other comments concerning anti-virus nlms with Tricord and/or NetFrame super servers. Thanks Sotiris Baxevanis Computer Security Admnistrator - - INTELSAT ------------------------------ Date: Tue, 07 May 1996 06:51:58 +0000 (GMT) From: Dan Pressnell Subject: Gneb virus? (PC) X-Digest: Volume 9 : Issue 66 Hi, everybody. Microsoft Anti-Virus reported that I had the "Gneb" virus in memory and on disk, and it "cleaned" both. I can't find any information on the Gneb virus. Does anybody know anything about it? The effects that I saw were erratic disk performance, and a sudden inability of Windows 3.1 to use it's 32-bit disk access mode. Things appear to be okay now. If you follow up, could you include email to me? Dan ------------------------------ Date: Tue, 07 May 1996 13:46:54 +0000 (GMT) From: Blackie Lawless Subject: Thunderbyte and zip or compressed files (PC) X-Digest: Volume 9 : Issue 66 I read the entire helpfile for TABV95, and did not see mention of capabilities for scanning zip or compressed files. Is there a feature and I just missed it? Or do I have to exctract the contents of a zip file and then scan it? ------------------------------ Date: Tue, 07 May 1996 14:45:34 -0700 (PDT) From: 07-May-1996 1717 <"stc::stevens"@ampakz.ENET.dec.com> Subject: Virus in BIOS (PC) X-Digest: Volume 9 : Issue 66 >We went throught a similar episode with a freinds machine. We found that >it resided in the BIOs, so we made a copy of the cmos settings, pulled the >battery, then assemble the thing. And found it still there. Apparentley >there is a capaciter that will remain hot for about three hours. So the >battery should be out for a time ie overnight. >>[Moderator's note: None of the AntiCMOS family, -nor- any other viruses, >>"reside" in a PC's CMOS or BIOS. I'll leave it to others who know this >>particular virus better to dispell the rest of myths here. This is no longer strictly true. A local (SC) company had an extensive Trojector infection on their network. During the scan/clean process it was discovered that one pc continued to boot dirty after successive disinfections. An MIS type discovered an entry in the bios setup (advanced chipset setup) menu labeled: ENABLE VIRUS/DISABLE VIRUS Apparently, the bios code was edited, virus code added, then loaded onto an eprom and the bios chip replaced. The previous user of that particular workstation had been fired already, another MIS type. Yes, selecting DISABLE VIRUS *did* disable the virus. On another subject, namely the discussion of FindVirus and the word 'like': Isn't this, like, kind of like, getting pretty, like, anal retentive, all this fuss about the word "like"? So what? Kurt Stevens [Moderator's note: Two points: 1) Are you sure? Maybe this is a case of someone misreporting or not understanding what they really found. Many BIOSes have a "virus protection" feature that can be turned on/off--maybe it had been turned on after the virus infected the HD.... Maybe this was deliberately misreported to cover earlier incompetence on the part of the reporter?- afterall, a -previous- employee isn't likely to be able to discredit a current incumbent. Please supply details of date, place, reliable reference, etc. 2) Even if your report is totally verifiable, what you report is -not- a virus that resides in the BIOS. It would be a case of a human explicitly modifying the environment (if not the virus itself) in such a way that the virus itself could never achieve, so no replicants of that infection would ever again reside in a PC's BIOS.] ------------------------------ Date: Tue, 07 May 1996 22:26:38 +0000 (GMT) From: Iolo Davidson Subject: Re: Concept Virus and sick laptop? (PC) X-Digest: Volume 9 : Issue 66 In article <0012.01I4G20IMOKOSKVUM0@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > Iolo Davidson wrote: > > >> The Concept macro isn't worth all the hassle and nonsense connected with > >> its detection and cleaning. All that you need to detect and remove > >> Concept, if it bothers you at all, is Word itself and a few keystrokes. > >> > >> Regards, Zvi > >> NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk > > > > Do I understand from the above that Invircible can't detect or > > remove Word Macro viruses, and your users are therefore required > > to go through "all the hassle and nonsense" required to learn how > > do it by hand? > > InVircible handles Concept alright. Does it indeed? From the manual entry you quote (below), it seems that Invircible doesn't handle it at all, but advises the user to remove the macros by hand: > Delete the five macros with the above names and save the document in its > clean state. The NORMAL template is cleaned by either saving the 'NORMAL' > style (open the File / Templates menu and tick the "automatically update > style" box), or by loading NORMAL.DOT as a Word document, deleting the > macros and then closing it after having saved the template clean. The > template should be cleaned last, after all affected documents were > cleaned. > > To remove the Concept macro, first screen your files with IVX to find > which ones are affected. Next, clean the affected documents with Word as > explained above. And last, don't forget to clean the 'normal' template. It seems you did have to update Invircible's scanner to detect Concept. So much for "no updating required". Do you think you will never have to update it again? Not even for the next macro virus, and the one after that? Can it detect the others that exist now? > The IVX correlator will search and find all Word files that are > affected by Concept. Start IVX and select Concept macro from > the menu. Hmmm... You mean it only finds Concept? I understand that there are at least five Word macro viruses, two or three of them in the wild. Can't detect the others? I think you may need to institute an update subscription service to keep your users protected. > It could be worth installing the Microsoft ScanProt protection to > the global macro template. With ScanProt installed, Word will > warn if the document you are about to open contains an > autoexecuting macro and prompt if to let the macro to execute. Or you could always recommend someone else's product instead of making yours work. But I understand that ScanProt doesn't work if you open documents directly by double-clicking the document icon instead of running Word explicitly first and opening the document from within Word. So maybe you should recommend one of the better anti-virus products that detects and removes word macro viruses, and which has regular updates by subscription to stay abreast of the problem. > > Concept doesn't have much of a payload, but there are Macro > > viruses that damage or delete data, and there will be lots more > > Macro viruses. Any anti-virus that ignores them is not serving > > its customers. > > Our opinions differ largely here as your doom prophecies are not > likely to materialize. It's their like that isn't serving computer > users and the community at large. Prophecy? There are *already* malicious macro viruses. There are *already* more macro viruses than your product apparently detects. You are *already* falling behind the problem. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Tue, 07 May 1996 22:05:17 +0000 (GMT) From: Iolo Davidson Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC) X-Digest: Volume 9 : Issue 66 In article <0024.01I4G20IMOKOSKVUM0@csc.canterbury.ac.nz> mramey@u.washington.edu "'Mike' M Ramey" writes: > Iolo Davidson: As you can see from the message below, I tried to > send my comments on this topic to you and others directly, via > email. But neither of the email addresses that I found for you > (in the alt.comp.virus and comp.virus newsgroups) seems to work. I don't welcome private debate on issues that I am engaged in debating publicly. It's a diversion and confusing. I also dislike the practice some engage in of both posting and emailing copies of their posts to other posters. I adjust my mailing software to suit my own preferences. Most people take the hint when they get bounced by my trick "Reply-To:" line. I had to take extra measures in your case. The facility to block incoming mail is incorporated in the software supplied by my Internet Service Provider. > - ----- Original Message Follows ------ > Date: Sun, 5 May 1996 12:16:45 -0700 (PDT) > From: 'Mike' M Ramey > To: S&S Graham Cluley {Dr Solomon} > Cc: Bruce Burrell , > Iolo Davidson , > "S. Widlake" > Subject: FindVirus messages: TELL THE [WHOLE] TRUTH (DAMMIT)! Hmmm... seems like you are trying to start a listserver the hard way. UNSUBSCRIBE iolo@mist.demon.co.uk - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Tue, 07 May 1996 22:46:57 +0000 (GMT) From: Iolo Davidson Subject: Re: Remover for Manzon virus (PC) X-Digest: Volume 9 : Issue 66 In article <0011.01I4G20IMOKOSKVUM0@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > Infecting files with Manzon and disinfecting them with DSAVTK confirmed > that FindViru ruined every EXE file that it claimed having disinfected. > Since FINDVIRU disinfected the COM files alright, then the fault should be > in the Manzon dinfection routine, rather than caused by the > misidentification of the virus variant (Manzon has two variants). S&S > admitted the existence of the FINDVIRU bug. S&S also fixed the problem, which was in the driver file, not a bug in the program, in the regular update. That fix took place some time ago. Furthermore, you know that it is fixed. They posted the fact the last time you published the above story. That is what you are calling an admission. I note that nowhere in your repeat of this old story do you acknowledge that the problem was shortlived and has been fixed. > Therefore, check that the cure isn't worse than the disease before you > commit your files to scanner disinfection! The forecast isn't encouraging > since the number of bugs increases exponentialy in function of the number > of viruses that the scanner handles. Qualifying and testing scanner > updates is also becoming a serious problem, as proves the case above. Scaremongering nonsense. Invircible users, by contrast, are given lengthy directions on how to remove the Concept Word Macro virus by hand rather than a program that can do it. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Wed, 08 May 1996 01:41:17 +0000 (GMT) From: Alchemist Subject: Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) X-Digest: Volume 9 : Issue 66 In article <0018.01I4G20IMOKOSKVUM0@csc.canterbury.ac.nz>, Iolo Davidson wrote: >In article <0025.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> > maxwells@kiva.net "Chris Clayton" writes: > >> Is it possible for a computer with the NYB, Form, or Stoned virus >> to have it's hard drive physically damaged. > >A hard disk can give up the ghost at any time. Having a virus >won't prevent it. > >If you are asking if a virus can *cause* physical damage, then >no, there is no virus that can do that. two things. Old Multisync monitors. Old IDE harddrives (seagate). Not physical damage to low-level format, but since they have wierd interleve on them, a costly repair. - - --Alchmemist (jmayo@mail.alliance.net) ------------------------------ Date: Wed, 08 May 1996 01:47:09 +0000 (GMT) From: Alchemist Subject: Re: Anti-CMOS A (PC) X-Digest: Volume 9 : Issue 66 In article <0026.01I4G20IMOKOSKVUM0@csc.canterbury.ac.nz>, Patty-anne Lea wrote: >In article <0030.01I4BWNT3JS4SKVUM0@csc.canterbury.ac.nz>, > KVacek wrote: > >We went throught a similar episode with a freinds machine. We found that >it resided in the BIOs, so we made a copy of the cmos settings, pulled the >battery, then assemble the thing. And found it still there. Apparentley >there is a capaciter that will remain hot for about three hours. So the >battery should be out for a time ie overnight. > >There is some interesting info on http://www.symantic.com >about lots of virus and ways to remove them. Good luck patty-anne > >[Moderator's note: None of the AntiCMOS family, -nor- any other viruses, >"reside" in a PC's CMOS or BIOS. I'll leave it to others who know this >particular virus better to dispell the rest of myths here. > >BTW, the correct URL is http://www.symantec.com.] Since I last checked, there is under 16bytes for CMOS, and it is not executable, It is accessed though an I/O port. It is not accessed like normal RAM. Therefor, BIOS would have to copy the 16byte virus into RAM then for some odd reason execute it. Also, BIOS would flip if you corrupted the CMOS area like that. I do not belive there is a CMOS virus, unless you can prove it some how. (source code, virus binary, something) Maybe I could explain how it works to people who don't know, if it exists at all. - - --Alchmemist (jmayo@mail.alliance.net) ------------------------------ Date: Tue, 07 May 1996 22:56:43 +0000 (GMT) From: Iolo Davidson Subject: TBAV: Possibly infected by an unknown virus (PC) X-Digest: Volume 9 : Issue 66 In article <0021.01I4G20IMOKOSKVUM0@csc.canterbury.ac.nz> dkstewart@csra.net "dkstewart" writes: > The false positive was because of the heuristic abilities of TBAV. TBAV > made an error on the safe side flagging the file a a possible virus..... > Would you rather TBAV made the error on the other side and missed a > possible virus? ;-) I would rather not have any erroneous reports. I don't regard this as an either/or. If heuristics are to have any value, they have to be good enough that they don't leave it up to the user to decide if an alarm means he really has a virus or not. > ThunderBYTE is working to make ThunderBYTE as > accurate as possible to detect known and unknown virus's and will on > ocassion flag a file as a possible virus. Did this error cause you any > great problems or damage? False alarms do cause a great deal of trouble. Even if it doesn't run to inappropriate overreactions like panic formatting of hard drives, it can cost time and money. In corporate environments, people are often required to stop work and call the PC support staff whenever the company installed anti-virus alarms. Too many false alarms, and the company will install a different product. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Wed, 08 May 1996 03:23:44 +0000 (GMT) From: flyboy@ari.ari.net Subject: Need MBR reader (PC) X-Digest: Volume 9 : Issue 66 If anyone knows of a program to read the 512 byte MBR of a floppy disk I would appreciate a copy. ------------------------------ Date: Wed, 08 May 1996 07:22:12 +0000 (GMT) From: Steve Roberts Subject: Re: Partition virus which slows/kills floppy drive? (PC) X-Digest: Volume 9 : Issue 66 >Steve Roberts wrote: > >Subject: Partition virus which slows/kills floppy drive? (PC) > >[Snip happens] >>Any suggestions gratefully received! > >You did try to clean the floppy drive, did you? been there, done that! >If this is an older machine ypu should check whether in Setup the DMA >clock is correct (i.e. BCLK/2 or 4 MHz). Overclocking this gives excactly >the symptoms you describe. yes, but that doesn't spread from system to system, or disappear if you boot from a clean floppy or if you "clean up" the hard disk partition table.... I am pretty sure we are talking virus here. Could be what the virus is doing of course.. Steve. ------------------------------ Date: Wed, 08 May 1996 02:19:25 -0400 From: Bill lambdin Subject: InVircible (PC) X-Digest: Volume 9 : Issue 66 Zvi Netiv writes. >It's also recommended that you prepare an IV rescue diskette so that you >can easily recover the drive in case of a boot infection. The common >rescue utilities do not handle properly the stealthed DDO, they are fooled >by the virtual MBR and boot chain. Unlike Ontrack's DDO which can be >restored with the DM utility, there is no EZ way to recover the EZ-Drive >overlay and a dumb boot infector may cause loss of the drive and its >content. Users of InVircible with MFM, RLL, ARLL, SCSI, SCSI2, and ESDI drives should be alerted to section 10.8 paragraph 6 of the InVircible's Hypertext manual states "IV's see through functions only with IDE and EIDE drives" Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Wed, 08 May 1996 09:58:18 +0200 From: Jan Visser Subject: Re: Master Boot infections on Compaq / IBM systems (PC) X-Digest: Volume 9 : Issue 66 On Sun, 05 May mitch dove wrote: [snip] >I have come across some peculiar infections of MBR's of, in >particular IBM and Compac systems and more recently, possibly DELL as >well. [snip] I recently came across a Junky infection on a Compaq Presario system from a friend. Symptoms were the following: After the system booted the menu of a Compaq diagnostic program appeared. It was however impossible to chose any function because the system complained about lack of memory and offered to reconfigure the memory. When I clicked "Ok" the system rebooted but nothing apparantly changed. The Compaq box was sold by one of those stores that move boxes as fast as possible, it came without documentation, setup and diagnostic diskettes, MS-DOS and Windows diskettes and of course without service. So it appeared I had to solve the problem myself. I booted from a clean MS-DOS diskette and scanned the C: drive. TBAV identified the Junky virus in MBR and about 20 files. I cleaned the MBR (FDISK /MBR) and renamed the infected files. After replacing COMMAND.COM (which was infected of course) I booted the system from it's own hard disk. The aforementiond symptoms appeared again. After booting from the clean diskette and scanning the C: drive Junky was found (again) in the MBR. After some research I found the following: - the drive (420M) has two partitions: a small (approx. 3M) diagnostic partition and a primary DOS partition. The diagnostic partition is NON-DOS (the System Code is hex 12) - the diagnostic partition was flagged as active - actually the diagnostic partition is a DOS partition with a DOS-16 FAT. It contains IO.SYS, MSDOS.SYS, COMMAND.COM and the diagnostic programs. CONFIG.SYS contains a line: SHELL=TEST with some parameters. You can verify this by setting the System Code to hex 04 (DOS-16) and reboot from diskette. The (former) diagnostic partition appears as drive D:. - all .COM programs in the diagnostic partition were infected with Junky. (I think also the DOS boot record was but do'nt know for sure). This accounts for the re-infection which took place. I cleaned the MBR and diagnostic partiton (still flagged as DOS-16). Then I replaced the System Code for the diagnostic partion with hex 12 and flagged the DOS partition as active. After booting from the hard drive the system stayed clean. The lesson learned: on Compaq's and probably other computers there may be "disguised" DOS partitions that can become infected with and reactivate a virus. The whole exercise left me with the following questions: - Why the diagnostic partition? It appears that normally it can only be activated by running programs from a diagnostic diskette. In that case you can do all diagnostics running from diskette. - how did it get flagged as Active? (these two just to satisfy my curiosity, but more fundamental:) - Why are respectable manufacurers turning out systems with complex setup features without apparently ever thinking of the problems a simple virus introduces? I mean: flagging the diagnostic partition with System Code '12' will fool most users but no viruses when booting from this partition. ____ Regards, Jan Visser (vissj@gww.nl) [Moderator's note: The diagnostic partition on Campaqs is related to their "fancy" OS setup and config options, when new, and I think to their full hibernate/restore capabilities.] ------------------------------ Date: Thu, 9 May 1996 01:35:12 +1200 From: Nick FitzGerald Subject: Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) X-Digest: Volume 9 : Issue 66 Alchemist wrote: > two things. > > Old Multisync monitors. > > Old IDE harddrives (seagate). Not physical damage to low-level format, > but since they have wierd interleve on them, a costly repair. Two things: Get your facts right. Check you got your facts right. Only embarrassment, but difficult to repair. -Multisync- monitors do -NOT- have the problem you allude to. Some so- called "multifrequency" ones may/did. Read the Virus-L back-issues from early this year for an -explanation- of the issues (it was digest #28). But it would be a pity to allow the facts to get in the way of a persistent urban legend.... 8-) So, how much credence do we now give your claim that certain Seagate HDs were software damageable? It actually seems you aren't claiming this anyway, despite "physical damage" being the thrust of the thread! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83From ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 66] *****************************************