VIRUS-L Digest Friday, 10 May 1996 Volume 9 : Issue 67 Today's Topics: Click virus from Web page? Virus description lists (was: If you really are AV) Re: Is virus writing illegal? Danger of False Alarms Re: Flash BIOS Virus anyone? Re: Flash BIOS Virus anyone? Re: Viruses in May and June. Re: Is virus writing illegal? Re: Concept virus observation Re: Is virus writing illegal? Re: If you really are AV. How can you tell a false positive from a REAL virus? Cryptoviruses Re: B1 on novell 2.2 server (NW) Re: What to buy for NT server and win95 wkstns (NT) Norton AV 95 Auto-Protect (WIN95) NAV reports C64 virus (WIN) re: Gneb virus? (PC) RE: Need MBR reader (PC) Taipan 438-c (PC) Re: Need MBR reader (PC) Sporadic system slow-downs virus related? (PC) Re: Need MBR reader (PC) FORM_A Virus (PC) PLEASE HELP!! 1986.variant of KARNAVALI virus (PC) Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) What does SAMPO do? (PC) Re: Thunderbyte and zip or compressed files (PC) Re: Concept Virus and sick laptop? (PC) Re: Virus in BIOS (PC) McAfee's Scan (PC) Virus removal (PC) Macro viruses (PC) Re: Very slow boot up--virus? (PC) Re: Need MBR reader (PC) Re: Need MBR reader (PC) Re: Virus in BIOS (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 08 May 1996 13:46:07 -0400 From: "James R. Mac Donald" Subject: Click virus from Web page? X-Digest: Volume 9 : Issue 67 A friend claims he went to a website (http://www.winternet.com/%7Edrow/click.html) and encountered the "Click" virus. It claims that by merely visiting this page, your system has been infected with "click". I presume it would require a rather intricate back-end piece of HTML/CGI code to produce a virus thru a web page, but that it may be a possibility. Has anyone heard, and can vouch for the sincerity of "Click"? Is it a "real" virus? Thanks, J.R. Mac Donald jrmd@thehole.win.net ------------------------------ Date: Wed, 08 May 1996 19:13:25 +0000 (GMT) From: Robert Michael Slade Subject: Virus description lists (was: If you really are AV) X-Digest: Volume 9 : Issue 67 Nick FitzGerald (n.fitzgerald@csc.canterbury.ac.nz) wrote: : Alchemist wrote: : > If everyone here is really interested in AV. Someone should start a list : > of viruses, what they do and methods of detection. This would be harmless : Indeed--and the people with the best knowledge and collections of viruses : already provide this service as part of the documentation of their Then there are those who provide it as a standalone service. There is the Hoffman Summary list (of sometimes dubious accuracy but formerly wide fame), Norman's V-Base (I don't have experience with it personally, although I haven't seen attacks on it), and other shareware and commercial lists. If you prefer hardcopy, there are Alan Solomon's two books, "PC Viruses" from Springer-Verlag (a bit long in the tooth, now) and "Virus Encyclopedia" from S&S. Or there is the Computer Virus Catalog, freely available from the Virus Test Center (highest accuracy, although most limited set of entries) and the newer CARObase. (The VTC kindly granted permission for me to include the CVC with the second edition of my book.) : > assume that all the AVers here are in it "just for the money" and don't : > really care about saving the planet from infection. If anyone is : Yep--DataFellows, Dr. Solomon's, McAfee's, Symantec, etc are raking in the : bucks from all those thousands of hits per day on their WWW virus : description pages.... And those of us who don't produce software are getting weary of carrying the unsolicited bags of cash we receive to the bank.... : This attitude is actually doubly insulting, because most people do not : read up about avoiding virus infection before they get one, and far too And to add support to Nick's statement, note that if "Alchemist" had done the slightest research himself, he would have found the resources I listed above. : > interested in this document then eMail me, or post here. I hope this can Now this I can sympathize with. A "user-supported" list of virus descriptions, made freely available, is a worthy project. Difficult to arrange, and maintain at the necessary high quality, but I'd be willing to give it a go. : > be a technical document aimed towards programmers of AV software. I know On the other hand, if this is just another "send me viruses!" call, go soak your CPU. : > sharing trade secrets is not a good idea, but if AVers can share some of : > the universal secrets that would be very helpful. I am not talking about : > fancy stuff, just simple code-scanning and identification. Wait a minute, you were talking about users at the beginning. And there *aren't* any "universal secrets". I really think you should have a look at the CVC to see what is required, here. : Good luck with this, but personally, I think that is a bad idea. One of : the reasons it is a good idea to use at least two independent scanners is : because they are independently developed. Some approaches to some viruses : are wrong--having two products approaching the samne situation differently : increases the chance that at least one of them will "get it right". Two : scanners based on the sam escanning engine/approach/detection research(er) : will make the same mistakes given the smae situation.... Yes, Nick, I agree with you if he is talking about some kind of "universal signature database": any developer who based a product on that would have a weak scanner indeed. If he wants to build a document to help users, though, the same argument turns around. We can always use another description listing. ====================== roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca Virtual reality is for those who can't handle the command line Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800- SPRINGER) ------------------------------ Date: Wed, 08 May 1996 17:58:01 +0000 (GMT) From: Iolo Davidson Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 67 In article <0009.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz> webmaster@bl-net.com "James Coulter" writes: > What's the harm in a simple replicator? Absolutely nothing! Wrong. At the very least, viruses steal computer resources from the owner of those resources, and waste them. At worst, the virus is buggy, and the bugs cause problems running the software the owner wishes to run, or even causes damage to data. > Appending viruses do not corrupt your files. Sure they do. The virus writer may not have *meant* that to happen, but very few viruses are well written enough to cause no problems, and all steal resources. > My point is, virus writing is a form of programming. It should > not be illegal even if a NON-DESTRUCTIVE virus is released. Yes it should, and usually is. Making an unauthorised modification to a computer you don't own or have permission to modify is illegal in many places. In Britain, a virus writer who distributed his viruses is serving an 18 month sentence under "unauthorised modification" laws, as well as incitement to others to break the same laws. > Those authors > of DESTRUCTIVE viruses, however, should be prosecuted as they > have done harm to your private property. All viruses steal resources, many cause damage or compatibility problems even when the writer didn't mean them to. > PS: To date, not a single one of my viruses has had destructive code Doesn't matter, and you can't be sure of that anyway. > or even been released into the "wild". That keeps you on the right side of the law. > I think of them as trophies of accomplishement. Sad. Surely there is something worthwhile you could be doing? - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Wed, 08 May 1996 17:08:38 +0000 From: "Denis Parslow (Almo Distributing)" Subject: Danger of False Alarms X-Digest: Volume 9 : Issue 67 An excellent example of the time cost due to concern over false positives: We (TradeMark Computer Division of Almo Distributing) build systems. Ona system return, McAfee VirusScan (2.2.9) reported a file in the QEMM directory 'MBOOT0.DAT' as infected with Stoned.AZUSA. Odd...that seems to be a boot sector virus...lets throw FindViru 7.58 at it...and it reports clean. VirusScan 2.2.11? infected. After a couple days of talking with Jimmy at McAfee (Thanks for the help!) and Paul at Dr Solomon's, I found out that Dr Sol's has a switch you need to test files for boot sector viruses like this. Paul didn't guess right away the file was a copy of a boot sector, I didn't know there needed to be a switch...so quite some time was lost trying to figure the puzzle out. I have seen false id's from McAfee in the past (admittedly, all from TSR's and all went away with clean boots), so I doubted a completely accurate report The danger of the false id lies in the time lost and, often more importantly, in the not trusting reports of real infection! Denis Parslow Engineering Mgr Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Wed, 08 May 1996 17:08:38 +0000 From: "Denis Parslow (Almo Distributing)" Subject: Re: Flash BIOS Virus anyone? X-Digest: Volume 9 : Issue 67 James Coulter writes >NIS Service Dept. wrote: > >> Micron Computers is spreading a rumor that there is a beast known as a >> Flash Bios Virus that is hosing up computers the world around. I know >> nothing more than this - I was hoping someone else had a little more >> info... > > I know one thing, it is not a hoax. I have come across methods of >loading viruses into the flash bios. I know that they are relatively new >techniques and could cause a lot of damage to your bios. The fact is, >viral methods and techniques are accesible by virtually anyone today. > > Although I have not seen any virus use this method yet, it is >certainly likely that, because of the accessibility of methods, there are >two or three strains out there. Note that to reasonably test such a virus, the author needs to have a ROM programmer to fix the BIOS to test again (or a large stock of Flash BIOS chips or motherboards with Flash BIOS). I am not sure how many virus authors have this kind of resource. Denis Parslow Engineering Mgr Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Wed, 08 May 1996 17:08:38 +0000 From: "Denis Parslow (Almo Distributing)" Subject: Re: Flash BIOS Virus anyone? X-Digest: Volume 9 : Issue 67 JMCarlini writes: >In article <0001.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz>, Fridrik >Skulason writes: > >>There is an interesting twist on this subject. On most well-designed >>motherboards you can change a DIP switch to write-protect the FLASH >>memory.....which gives yoou 100% protection from those viruses. > >>Unfortunately that means that the machine becomes non-"Plug-and-Play" >>compatible, so therefore all motherboard manufacturers ship their boards >>with FLASH write enabled...making the machines easy targets. > >Not completely true. My FLASH bios is write-protected, and >"Plug-and-Play" still works just fine for me. And mine came >write-protected, tho I have an older machine (3 years) so that may have >something to do with it. > >I have a PHOENIX bios, if that makes any difference. Acutally, if you make any changes (hardware or even CMOS), you ESCD is updated to record these changes for PnPpurposes. This ESCD (Extended System Configuration Data) is stored in the Flash BIOS. We bought a PCI motherboard line for a while that had a PnP BIOS, but couldn't support PnP because the BIOS wasn't Flash. (FIC PIO-2) The mfgr was forced to write a non-PnP version of the BIOS (instead of using Flash BIOS chips) :-{ Denis Parslow Engineering Mgr Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Wed, 08 May 1996 07:13:59 +0000 (GMT) From: George Wenzel Subject: Re: Viruses in May and June. X-Digest: Volume 9 : Issue 67 In article <0013.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz>, "HARSHA K." wrote: >We are contributing to an article on viruses in one of the leading >Newspaper of India.We would like to know which are the viruses that could >strike in the month of May & June.What are the latest trends in viruses >and latest development in virus field. Do you really want to list all viruses that could strike in May and June? That'd be a very long list, since many viruses can infect all the time. It's not a good idea to say that people should be worried about specific viruses at specific times, since viruses are something everybody should protect themselves from all the time. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`)Student of Wado Kai Karate (_Y_.)' ._ ) `._ `.``-..-' University of Alberta Karate Club _..`--'_..-_/ /--'_.' ,' NETSCAPE GOLD RUSH CONTEST WINNING PAGE: (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Wed, 08 May 1996 07:11:54 +0000 (GMT) From: George Wenzel Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 67 In article <0009.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz>, James Coulter wrote: > I merely think, being an amateur virus author, that SANE authors >write viruses for the shear experience of writing a complex program, >which some refer to as ARTIFICIAL LIFEFORMS. The feeling of >accomplishement that you get from writing such complex things is common >to every author out there. Well, from what I've seen of viruses, they're poorly programmed, and I wouldn't call them artificial life. If you do, you're merely making a problem seem like a crusade, which is not a good thing. > > The fact is though, some authors are missing a few marbles and >include destructive code. Viruses like this, should have the author >prosecuted even if he hasn't distributed it. What's the harm in a simple >replicator? Absolutely nothing! Appending viruses do not corrupt your >files. Pardon me, but all viruses do harm. All viruses use up scarce resources, which slows down the machine, which is not wanted. I don't want a virus on my computer, no matter what sort of virus it is. If you spread a virus to me, without my knowledge, and it causes me problems, you may not be breaking a *legal* law (depends on y > My point is, virus writing is a form of programming. It should >not be illegal even if a NON-DESTRUCTIVE virus is released. Those authors >of DESTRUCTIVE viruses, however, should be prosecuted as they have done >harm to your private property. All viruses, as I've said, do harm. Virus writing itself is hard to make illegal, but if a virus is distributed, and that virus causes grief for people, I consider that to be both an unethical and immoral act. Whether it is illegal or not is a different matter, depending on jurisdiction. >PS: To date, not a single one of my viruses has had destructive code or >even been released into the "wild". I think of them as trophies of >accomplishement. Why not try to get a degree in computing science? That's a legitimate trophy of accomplishment, and others will recognize it as being the result of hard work. A virus is simply the spawn of a deviant mind. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`)Student of Wado Kai Karate (_Y_.)' ._ ) `._ `.``-..-' University of Alberta Karate Club _..`--'_..-_/ /--'_.' ,' NETSCAPE GOLD RUSH CONTEST WINNING PAGE: (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Wed, 08 May 1996 22:26:31 +0000 (GMT) From: Bruce Hore Subject: Re: Concept virus observation X-Digest: Volume 9 : Issue 67 Szappanos Gabor wrote: >On Thu, 02 May 1996 "R. Zalk" wrote: >Subject: Concept Virus Observation. > [snip] Using McAfee, VDOC or F-Prot are only cures to the problem. I suggest you might want to install a Macro protector, ie Scanprot.dot or Scan831.doc to make sure all you global templates are protected in the first instance. These Macros only take a few minutes to run and Scanprot.dot will pick up any macros in a document not just specifically the Concept virus. Scanprot.dot is available from WWW.MICROSOFT.COM. Bruce aumsad06.wz6mt9@eds.com ------------------------------ Date: Wed, 08 May 1996 21:22:23 -0400 From: Pfunk240 Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 67 Even if Virus writing is a crime, what is that going to stop?....people won't stop writing virii just because its a crime...people write virii and destribute them because it is exciting to see something you created and put together do what you expected it to....ruin a puter. I don't write virii YET because i want to learn more about it before I start...but once I do..I wont stop because of some puny law...hell, most of us brake the law every day. Just keep telling yoursself that it isn't that big a deal and it will all be better. :) chill. ------------------------------ Date: Thu, 09 May 1996 03:31:04 +0000 (GMT) From: Holt Sorenson Subject: Re: If you really are AV. X-Digest: Volume 9 : Issue 67 Alchemist (jmayo@smurfland.bbs) wrote: : If everyone here is really interested in AV. Someone should start a list : of viruses, what they do and methods of detection. This would be harmless Papa Smurf says that these are the best places to find out about viruses: Virus Databases http://www.datafellows.com/vir-info/> Data Fellows Virus Database http://www.symantec.com/avcenter/vinfodb.html> Symantec Virus Database http://www.drsolomon.com/vircen/enc> Dr. Solomon's Database http://www.mcafee.com/support/techdocs/vinfo/#top> McAfee Virus Database also ftp://mcafee.com/pub/3rdparty/vsumx603.zip If you have any questions talk to Hefty. - - +--------------------+---------------------------------------------------+ |Holt Sorenson | Any opinions expressed are mine only, and are not | |hs@grafton.dixie.edu| the responsibility of Dixie College or SDF. | +--------------------+---------------------------------------------------+ | http://ashton.lib.dixie.edu/~hs/ for pub key, etc. kid 001C1D 07/30/93 | | kprint"7A 1C 51 FA 84 04 2D 08-5E 27 4B CA 8D B0 DD 34" | +------------------------------------------------------------------------+ ------------------------------ Date: Thu, 09 May 1996 13:54:54 -0400 From: JMCarlini Subject: How can you tell a false positive from a REAL virus? X-Digest: Volume 9 : Issue 67 Because of TBAV's heuristic approach, if I set it to a High heuristic setting, I will invariably get virus alerts that I did not get at a lower (auto) setting. I have also received what I believe to be false positives with McAfee Scan (After following the usual protocols, I could not find the virus, and have not had another incident.) Is there any accurate way to tell a false positive from a REAL virus? If you run two scanners (as I do) and only one reports a virus, is that a 100% indication that it is a false positive? I run McAfee & TBAV, and update regularly. I am very careful & never, ever add data (except for email, newsgroups) to my machine (CD, floppy, internet, whatever) without running one or both scanners first. I also run both scanners on the whole drive at least a couple of times a month, usually once per week. I had been running TBAV as a background scanner, but have had to discontinue for now as I was getting too many hard crashes, and do not currently have time to do a diagnostic/analysis to find where the crash is. Given these criteria, what would be the possibility that my computer could still contract a virus? Any useful information would be appreciated! - jmc (_) (_) ------------------------------ Date: Thu, 09 May 1996 18:48:39 -0400 From: "Adam L. Young" Subject: Cryptoviruses X-Digest: Volume 9 : Issue 67 A number of people have requested the reference for "Cryptovirology: Extortion-Based Security Threats and Countermeasures". The following is the reference: A. Young, M. Yung, "Cryptovirology: Extortion-Based Security Threats and Countermeasures", proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 129-140, 1996. The ISBN number is 0-8186-7417-2 and the IEEE Computer Society Press Order Number is PR07417. Cryptoviruses (that is, viruses that use the public key of the author for offensive purposes), were first presented in: A. Young, "Cryptovirology and the Dark Side of Black Box Cryptography", Masters Thesis, Dept. of Computer Science, Columbia University, summer '95. Dr. Moti Yung was my thesis advisor, and he contributed immensely to the work. The Dark Side of Black Box Cryptography relates to a paper that we will be presenting at CRYPTO '96. - ------------------------------------------------------------- Adam Young BS Yale University Electrical Engineering '94 MS Columbia University Computer Science '96 Ph. D. Columbia University Computer Science- expected '00 ------------------------------ Date: Thu, 09 May 1996 15:13:21 +0000 (BUE) From: ruben@ralp.satlink.net Subject: Re: B1 on novell 2.2 server (NW) X-Digest: Volume 9 : Issue 67 Tue, 07 May 1996 10:00:13 -0700 Dorset Elementary School Wrote: >I have a Novell 2.2 non-deticated server that boots from a floppy >disk. Recently my lab got infected with the B1 virus. Somehow the boot >disk for the server got infected and infected the network drives. This >crased the server. The server thinks there are too many volumes(drives) >on the server and comes to a screaching halt. > > Can I disenfect the Novell drives without loosing the data? I'll resist the temptation to give You (and all others) an impetuous answer. The following is a procedure that I strongly recommend for all Novell administrators (as well advanced users). It could be used for Novell 2.2 to 4.1. (Include Novell light or personal) The difference itself is Novell 2.2, is not available anymore (lack of continuity), but many peolple certainly still use it. (Novell 2.2 could have the Server "Dedicated" or "not-dedicated") Also remember that Novell 3.xx to 4.1 uses dedicated servers ONLY. This involves two tasks: - Disinfection of one workstation. Drivers and usual "shared" executable files may be placed in a Clean_Write-protect_Bootable diskette in order to make a safe connection to the server. Example of this files are: Drivers: Lsl/Ne2000/Ipxodi/Vlm's. Other : Login.exe. - Disinfection of Server . a) DOS Partition. (Include Boot/Partition and DOS files) b) Novell Partition. (Include Files) - ------------------------------------------------------------------------- Step 1) Backup Server (Always) <<----- [This is the most important thing!] This is the best options for Boot sector viruses, if You use a TAPE backup, because Bootsector viruses (I don't mean multipartite!) could NOT spread on a tape. If You could NOT disinfect Server or something ruined in the middle, Always could reach the initial state. Step 2) Backup ALL relevant Workstations data. (Worksheets, Documents, etc) (Software could be re-installed again but NOT data) Step 3) Disconnect all remote stations. You could do it just removing coaxial adapter or twisted pair connector from the rear CPU panel of the stations. Step 4) What do You need for Disinfection Procedure. a) A Bootable_Clean_Write-Protected Diskette (5 1/4" or 3 1/2") (The recommendation here is: If You haven't any bootable disk try to do it from other installation. Not the affected one.) b) At least two GOOD reputed AV packages to check the installation. (Also maybe placed in write-protected diskettes. Will be usefull that those diskettes may be bootable too -but sometimes 1.2Kb or 1.44Kb its not enough to contain both OS and AV-) c) CMOS sequence of all Workstations (and server) may be setted to A: C:. Step 5) Disinfection: a) Proceed to disinfect each workstation. Cold Boot from diskette and run the AV software. b) When You have disinfect all workstations, proceed to disinfect Server (BE SURE TO BACKUP IT FIRST !!!!). See recomendations listed above in order to don't reinfect Workstation again. The problems that will appear during disinfection coud be: Boot/Partition infection: The software will advise You if it could remove the virus from this areasor not. If You have any doubt 'just say NO'. This means that You'll need another product to do the job. File infection: It could be possible that the software don't disinfect or repair the affected file. Again, if You have any doubt about this just DELETE the infected file and restore the file from the original product. Step 6) Floppy disk revision and other security measures. Check all Diskettes that (Users and You) have been used lately and look for infection. Try to determine which was the cause of the infection, play detective for a while but don't waste too much time on it. It is important determine how the virus infect the net, the time this occur, which is the name of the virus, etc; but the most important thing is to have the network OPERATIVE again. (This is applied to large organizations in which Server resources are critical) AFTER DISINFECTION WRITE PROTECT ALL THE WORKSTATIONS BOOTABLE DISKETTES Step 7) 48 hours control. Once You disinfect both Server and Workstations reconnect all, start the Server and achieve a 48 hours controll. (Be alert and look if symptoms of virus re-appear). Finally I know this is a large procedure and could take a large amount of time to perform it, but You have no choice. If You perform a virus Scanning over a Net and don't take the above precautions probably could infect more files. (Also applicable to "unknown" or "new" viruses) This have a direct relation with the "domain" and "Rights" that a person have in a network. More Rights that a user have more damage to the files. - -------------------------------------------------------------------------- Well, hope this helps. Kind Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben M. Arias _ _ _ | ) |_| | |_) | \ | | |_ | E-Mail: Ruben@RALP.Satlink.net Buenos Aires - ARGENTINA RALP - Computer Security - Virus - ------------------------------------------------------------------------------ ------------------------------ Date: Thu, 09 May 1996 10:10:16 +0000 (GMT) From: SSL Subject: Re: What to buy for NT server and win95 wkstns (NT) X-Digest: Volume 9 : Issue 67 Iolo Davidson wrote: > In article <0007.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> > ssl@iconz.co.nz "SSL" writes: > > > No need to update every month, > > Oh? When Word macro viruses came along, Invircible had to have > a facility added to detect them. If you have an earlier > version, you can't detect these very prevalent viruses. No need to update *every* month. The IVB facility used to detect macro viruses was available well before Concept came on the scene. > > no TSR's or NLM's, > > Pity. Won't run on a Novell server, then. 100's of companies using IV on Novell servers will prove you wrong. > > and has superior dection and recovery facilities. > > The "recovery facilities" for Word macro viruses consist of > manual instructions on how to delete infected macros by hand. SCANPROT does a more than adequate job. With the IVB facility properly invoked you will identify all rogue changes to template when they occur - not weeks/months later when the macro virus becomes news worthy. The statement still stands "IV has superior detection and recovery facilities". Regards Grant ------------------------------ Date: Thu, 09 May 1996 20:28:57 +0000 (GMT) From: Paul DeMello Subject: Norton AV 95 Auto-Protect (WIN95) X-Digest: Volume 9 : Issue 67 Does anyone know if Auto-Protect for Norton Anti-Virus 95 checks files opened or run within a DOS prompt? Thanks... -paul ------------------------------ Date: Thu, 09 May 1996 01:55:51 +0000 (GMT) From: John Pierce Subject: NAV reports C64 virus (WIN) X-Digest: Volume 9 : Issue 67 I have a system that is making me crazy. When entering windows (v3.11), NAV reports that it found the C64 virus. NAV locks up the system and says to reboot with the rescue disk. BZZZZZT. No rescue disk, the user didn't make one. So I bootup from my handy-dandy McAfee floppy, run SCAN v2.2.11 (9603) and it doesn't find C64. Next I boot up from my F-PROT v222 disk, and again no virus found. So after F-PROT runs I change to the C:\NAV directory and run NAV.EXE. I have it scan ALL FILES and it finds nothing. I reboot the system, start windows, and NAV reports finding the C64 virus and locks up the system. HELP! ------------------------------ Date: Wed, 08 May 1996 16:18 +0000 From: Graham Cluley Subject: re: Gneb virus? (PC) X-Digest: Volume 9 : Issue 67 Dan Pressnell writes: > Hi, everybody. Microsoft Anti-Virus reported that I had the > "Gneb" virus in memory and on disk, and it "cleaned" both. I suspect you mean "GENB" and McAfee VirusScan rather than MSAV. If you are using MSAV I'd recommend that you dump it in favour of a decent anti-virus product. If you want to know some of the reasons why MSAV is considered to be rubbish check out Yisrael Radai's paper on the subject: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip > I can't find any information on the Gneb virus. Does anybody > know anything about it? GENB is a name used by McAfee when it cannot precisely identify which virus you have. It's kind-of shorthand for "Generic Boot sector virus" > The effects that I saw were erratic disk performance, and a sudden > inability of Windows 3.1 to use it's 32-bit disk access mode. > Things appear to be okay now. This is quite common with many of the in-the-wild boot sector viruses. Without knowing which virus you *really* had it's difficult to give you details on what it did/may have done. If you still have a sample you may like to try scanning it with a well-regarded product like Dr Solomon's, F-Prot, or AVP. They should be able to be much more specific about which virus you had. If you then tell us that name we'll tell you what it does. > If you follow up, could you include email to me? Done. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 08 May 1996 16:24 +0000 From: Graham Cluley Subject: RE: Need MBR reader (PC) X-Digest: Volume 9 : Issue 67 flyboy@ari.ari.net writes: > If anyone knows of a program to read the 512 byte MBR of a floppy > disk I would appreciate a copy. Floppy disks don't have an MBR, but hard disks do. Or maybe you mean the boot sector (which are present on both hard disks and floppy disks) There are lots of tools which can do this including DEBUG which comes with MSDOS. If you give us a clue as to what you want to do (and whether you mean MBR or boot sector) we can recommend the best tool for the job. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 08 May 1996 15:29:57 +0000 (GMT) From: Shannon Custalow Subject: Taipan 438-c (PC) X-Digest: Volume 9 : Issue 67 Does anyone know how to get this off of the boot sector..or a good boot sector virus scaner,?..Please help..none of the shareware products seem to work... ------------------------------ Date: Wed, 08 May 1996 17:23:22 +0000 (GMT) From: Bruce Burrell Subject: Re: Need MBR reader (PC) X-Digest: Volume 9 : Issue 67 flyboy@ari.ari.net wrote: > If anyone knows of a program to read the 512 byte MBR of a floppy disk I > would appreciate a copy. What you request is impossible, since floppies don't have MBRs. They have instead DOS Boot Sectors (DBS), sometimes called DOS Boot Records or "the Boot Record"; this structure can be read with DEBUG or tools like Norton's DISKEDIT. -BPB ------------------------------ Date: Wed, 08 May 1996 13:46:07 -0400 From: "James R. Mac Donald" Subject: Sporadic system slow-downs virus related? (PC) X-Digest: Volume 9 : Issue 67 Further to my previous post, another friend seems to be having the following problem lately: In performing simple, rudimentary tasks (i.e. dos edit from within Windows, being in Netscape, running Windows Apps, etc.) his system "hangs" for approx. 30 to 60 secs. After this time, he then audibly will hear the hard drive engage and he'll be free to continue his processes. Does anyone know of a virus that would simulate this scenario? We tried running thru a recent log file of possible virii, but we didn't see one that accomplishes a momentary "hang". Any help you can give me and my friends would be appreciated greatly. Thanks, J.R. Mac Donald jrmd@thehole.win.net ------------------------------ Date: Wed, 08 May 1996 19:09:20 +0000 (GMT) From: Iolo Davidson Subject: Re: Need MBR reader (PC) X-Digest: Volume 9 : Issue 67 In article <0027.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz> flyboy@ari.ari.net writes: > If anyone knows of a program to read the 512 byte MBR of a > floppy disk I would appreciate a copy. You won't find one. Floppies don't have MBRs. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Wed, 08 May 1996 23:46:20 +0000 (GMT) From: Dan McCloud Subject: FORM_A Virus (PC) X-Digest: Volume 9 : Issue 67 I just detected the FROM_A virus on my computer. Since I have all important data backed up and not alot of stuff on my hard drive, I decided to just re-format the drive. At the end of the format, I get an error message that says "Error writing to partition. Format aborted." So I figured I would run FDISK and re-partition the drive. But, when I erase the existing partitions and exit FDISK, it seems that the partitions automatically reappear. Can anyone explain this or offer some help on how to get clean this computer? [Moderator's note: You most likely have some form of boot sector virus protection enabled on your machine that write-protects the MBR. This is a common option in most current BIOSes. There are some software schemes that do this with varying success too.] ------------------------------ Date: Wed, 08 May 1996 20:45:54 +0000 (GMT) From: Costas Giannakenas MD Subject: PLEASE HELP!! 1986.variant of KARNAVALI virus (PC) X-Digest: Volume 9 : Issue 67 A newbie friend has managed to get his Boot sector infected with the "1986.variant.Karnavali" virus.. Some .exe files which had been infected were deteceted and cleaned by f-prot 2.22 but the boot sector could not be cleaned. TBAV is unable to help either..... My friend has too many files to make formatting the disk a feasible solution. Can anyone please help? TIA Costas Giannakenas MD cgian@hol.gr ------------------------------ Date: Wed, 08 May 1996 19:05:05 +0000 (GMT) From: Iolo Davidson Subject: Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) X-Digest: Volume 9 : Issue 67 In article <0024.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz> jmayo@smurfland.bbs "Alchemist" writes: > In article <0018.01I4G20IMOKOSKVUM0@csc.canterbury.ac.nz>, Iolo Davidson > wrote: > > >In article <0025.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> > > maxwells@kiva.net "Chris Clayton" writes: > > > >> Is it possible for a computer with the NYB, Form, or Stoned virus > >> to have it's hard drive physically damaged. > > > >A hard disk can give up the ghost at any time. Having a virus > >won't prevent it. > > > >If you are asking if a virus can *cause* physical damage, then > >no, there is no virus that can do that. > > two things. > > Old Multisync monitors. > > Old IDE harddrives (seagate). Not physical damage to low-level format, but > since they have wierd interleve on them, a costly repair. One thing: Name the virus that causes any such damage. It's put up or shut up time. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Wed, 08 May 1996 17:52:34 -0500 (CDT) From: Jason David Moerbe Subject: What does SAMPO do? (PC) X-Digest: Volume 9 : Issue 67 I am relatively new to computers and computing. Last week my McAfee detected and, supposedly, cleaned up a virus it called SAMPO. The virus was on a disk and I don't think it ever made it into the computer, itself. I was just wondering if anyone out there knows what SAMPO is and does.....E-mail appreciated. Jason D. Moerbe Jmoerbe@tenet.edu ------------------------------ Date: Wed, 08 May 1996 23:15:45 +0000 (GMT) From: Wayne Riddle Subject: Re: Thunderbyte and zip or compressed files (PC) X-Digest: Volume 9 : Issue 67 Blackie Lawless wrote: >I read the entire helpfile for TABV95, and did not see mention of >capabilities for scanning zip or compressed files. Is there a feature >and I just missed it? Or do I have to exctract the contents of a zip >file and then scan it? ThunderBYTE dosn't scan inside of compressed files. You can scan them after you unzip them. The File I/O monitor in the Windows 95 version of TBAV will catch infected files as you unzip them. WinZip has an option for ThunderBYTE (and others) to scan compressed files. Wayne Riddle riddler@agate.net http://www.agate.net/~riddler ------------------------------ Date: Thu, 09 May 1996 08:49:57 +0200 From: Stefan Kurtzhals Subject: Re: Concept Virus and sick laptop? (PC) X-Digest: Volume 9 : Issue 67 Iolo Davidson wrote: > > InVircible handles Concept alright. > > Does it indeed? From the manual entry you quote (below), it > seems that Invircible doesn't handle it at all, but advises the > user to remove the macros by hand: > > > Delete the five macros with the above names and save the document in its > > clean state. The NORMAL template is cleaned by either saving the 'NORMAL' > > style (open the File / Templates menu and tick the "automatically update > > style" box), or by loading NORMAL.DOT as a Word document, deleting the > > macros and then closing it after having saved the template clean. The > > template should be cleaned last, after all affected documents were > > cleaned. And what's about Colors and Xenixos which have some kind of stealth? They don't allow access to the macro list anymore. You won't be able to clean these macro viruses this way. > It seems you did have to update Invircible's scanner to detect > Concept. So much for "no updating required". Do you think you > will never have to update it again? Not even for the next macro > virus, and the one after that? Can it detect the others that > exist now? And what's about Excel.DMV or Green_Stripe? Surely, these are just research viruses, but I think there will be more non-Word macro viruses in the future. > > The IVX correlator will search and find all Word files that are > > affected by Concept. Start IVX and select Concept macro from > > the menu. > > Hmmm... You mean it only finds Concept? I understand that there > are at least five Word macro viruses, two or three of them in the > wild. Can't detect the others? I think you may need to > institute an update subscription service to keep your users > protected. There are much more than just five macro viruses! Concept, Concept.Fr, Nuclear, Nuclear.B, Colors, Hot, Atom, Imposter, Xenixos, Polite, DMV, Boom, LBYNJ, NOP, Pheeew (maybe I've forgot some) > > It could be worth installing the Microsoft ScanProt protection to > > the global macro template. With ScanProt installed, Word will > > warn if the document you are about to open contains an > > autoexecuting macro and prompt if to let the macro to execute. Yes, and viruses which rely on non Auto* macros can activate like they want. Good protection! :-( BTW, there's a way (at least in Word 7.0) to bypass ALL these antivirus macros, it's just our luck that no virus writer has it found yet. And there's also a way to write a macro virus without using auto or system macros at all! :-((( bye, Stefan Kurtzhals - -- F/WIN * HEURISTIC MACRO VIRUS DETECTION AND REMOVAL --- ------------------------------ Date: Wed, 08 May 1996 17:03:09 +0000 (GMT) From: George Wenzel Subject: Re: Virus in BIOS (PC) X-Digest: Volume 9 : Issue 67 In article <0020.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz>, 07-May-1996 1717 <"stc::stevens"@ampakz.ENET.dec.com> wrote: >This is no longer strictly true. A local (SC) company had an extensive >Trojector infection on their network. During the scan/clean process it was >discovered that one pc continued to boot dirty after successive >disinfections. An MIS type discovered an entry in the bios setup (advanced >chipset setup) menu labeled: > > ENABLE VIRUS/DISABLE VIRUS This has nothing to do with a virus being present or not. Some BIOSes have a built-in virus checker, which prevents changes to the boot record. This is what the switch was saying, not that there was a virus present. >Apparently, the bios code was edited, virus code added, then loaded onto >an eprom and the bios chip replaced. The previous user of that particular >workstation had been fired already, another MIS type. Yes, selecting >DISABLE VIRUS *did* disable the virus. Sorry, but no, it would not. There are no viruses which reside in the BIOS, and the 'disable virus' is for disabling virus checking. This would be a documented switch (it's commonly in the advanced chip setup menu) in the motherboard manual. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`)Student of Wado Kai Karate (_Y_.)' ._ ) `._ `.``-..-' University of Alberta Karate Club _..`--'_..-_/ /--'_.' ,' NETSCAPE GOLD RUSH CONTEST WINNING PAGE: (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Thu, 09 May 1996 03:19:38 -0400 From: Bill lambdin Subject: McAfee's Scan (PC) X-Digest: Volume 9 : Issue 67 Zvi Netiv writes >Quite simple. At some stage you ran McAfee's SCAN program >with the "add validation data" option. It adds exactly 98 bytes to >executables for validating them later with SCAN. Since when does McAfee's Scan add 98 bytes to files for self checking. The last time I tested this aspect of McAfee's Scan, Vshield, Scan only aded 10 bytes to the executable files. Heck 98 bytes is 4 times as large as the smallest virus in my collection trivial.23.a (23 bytes in size). I do not like, or recommend A-V Programs that modify the users executable files; for the following reasons. a. many programs check their self integrity, and will stop functioning if they are modified. b. this self check can not detect companion viruses c. this self check can not detect fully stealthed viruses. d. this self check can not detect path companion viruses e. this self check can not detect tunneling viruses. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Thu, 09 May 1996 03:20:05 -0400 From: Bill lambdin Subject: Virus removal (PC) X-Digest: Volume 9 : Issue 67 Zvi Netiv writes >Yet user should be aware that there exists the possibility that a >disinfector may confuse variants of the same virus, or worse, simply have >a faulty disinfection routine for particular viruses. Therefore, always >try a disinfector on infected samples and CHECK that the disinfected files >are clean and FUNCTIONAL. Do NOT take the "virus removed" statement of a >scanner-disinfector for granted as it has no means to verify its doing. >This capability belongs to generic restoration, not to scanners. I only recommend cleaning viruses as a last resort. Whevever possible; I prefer to delete the infected files, then restore clean files from backup or original diskettes. In my last test of InVircible 6.10c tested February, InVircible failed to clean COMMAND.COM of the Lehigh virus. Below is a direct quote of this failure. - --------------------------------------------------------------------------- Lehigh.A This virus was selected because it is a resident infector of COMMAND.COM. The virus is written to a cavity inside COMMAND.COM. There is no filesize increase to COMMAND.COM. when running amother file after this virus was run; the system hangs. I re-boot the computer (from the hard drive). At Bootup IVINIT.EXE reported The COMSPEC data has changed. this might indicate an infection." "Do you accept the change? Please confirm! [Y/N]? After successfuly reporting this virus. I booted clean from the rescue diskette. I ran IVB, and it reported "COMMAND.COM was modified, not necessarily by a virus". I ran IVB /R to remove the virus. IVB reported "COMMAND.COM changed in size by 0 bytes. COMMAND.COM is restored to it's original status." I calculated new MD5 Hash values for the files after infection, & removal to the ones on file. The Hash values did not match. Before infection by Lehigh COMMAND.COM 54619 09-30-93 06:20 c98e0df201047722fec01cfda0db3ce0 After infection by Lehigh COMMAND.COM 54619 09-30-93 06:20 71612f0eea595e731c544185c1e6831b Partial failure (on detection) IV did not properly label this change to COMMAND.COM due to a virus. failure (on removal) The virus was reportedly removed; but the file was NOT returned to the original uninfected status. The "clean" file was a somewhat corrupted file that should not be trusted. - ----------------------------------------------------------------------------- In my recent debates with your agent Robert Casas, he stated that IV returned COMMAND.COM to "Functional status". However; original status, and functional status are not the same. The cavity portion of the Lehigh virus was left inside COMMAND.COM. Cleaning a file is where the A-V software actualy removes the virus instead of leaving 555 bytes of code in files to cause false alarms at a later date Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Thu, 09 May 1996 03:20:16 -0400 From: Bill lambdin Subject: Macro viruses (PC) X-Digest: Volume 9 : Issue 67 Zvi Netiv writes >There is more hype than substance in the Winword macro virus issue. Macro >viruses are a negligible threat compared to the dumbest common and most >prevalent boot infectors. They are easy to remove, just with Word itself >and using your common sense. Negligable? I believe that users afflicted by macro viruses such as concept, nuclear, colors, etc would NOT deem the threat negligable. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Thu, 09 May 1996 12:03:58 +0100 From: Jason McClean Subject: Re: Very slow boot up--virus? (PC) X-Digest: Volume 9 : Issue 67 On 4 May 1996, VanPopering wrote: > My friend has a Gateway 2000. Just last week when he turns on his > computer, it takes at least a full 5 minutes before it really does > anything. One or two normal boot-up messages show up but then it just > sits there. 5 Minutes later it continues -slowly- and finally he can use > it. > > Once it is running, everything seems fine. Sound like a virus? What > would you use to scan it with? As well as checking for viruses etc., (although there could be one I s'pose in the boot sector that's causing all the trouble), try checking out the BIOS. I had trouble similar to this and it was the fact that for some reason the BIOS thought there were two hard drives, so it spent ages trying to find the second one. Mind you, I also had Stoned.Angelina on the system at the time! Does anyone know of any viruses that can muck up your BIOS? Jason McClean ------------------------------ Date: Thu, 09 May 1996 11:58:00 -0500 (EST) From: keith@command-bbs.com Subject: Re: Need MBR reader (PC) X-Digest: Volume 9 : Issue 67 >If anyone knows of a program to read the 512 byte MBR of a floppy disk I >would appreciate a copy. Read? Do you want to save it to a file as well? If so we have a few utilties on our BBS that can do this for you (see signature for phone). Keith =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Brunswick, Ohio 44212 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command Phone: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Thu, 09 May 1996 23:17:13 +0000 (GMT) From: Mike Brodbelt Subject: Re: Need MBR reader (PC) X-Digest: Volume 9 : Issue 67 flyboy@ari.ari.net wrote: >If anyone knows of a program to read the 512 byte MBR of a floppy disk I >would appreciate a copy. Floppy disks actually don't have an MBR. The MBR or partition sector on a hard disk resides on sector 1, cylinder 0, side 0, and contains the partition table for the disk, and some code. The partition table defines up to a maximum of 4 partitions, of which 1 may be marked as active (bootable). The code contained within this sector scans the entries in the partition table, finds tha partition marked as bootable, loads the bootsector for this partition into memory and passes control to it (assuming the MBR has not been altered to take other actions). A floppy disk cannot be partitioned under DOS, and the sector that resides at track 0, side 0, sector 1 is the bootsector. If all you want is a way to read the bootsector of a floppy into memory, you can do it using debug quite happily. Use instructions like :- debug l 0100 0 0 1 ;Loads bootsector 1 into memory at 0100h rcx 0200 ;Put size into CX register n bootsect.img w ;writes data to a file q This will give you a 512 byte file called bootsect.img, containing the data from the bootsector. Unfortunately, this trick won't work for hard disk bootsectors, due to the way debug accesses the disk, and a few vaguaries of Dos, but it'll be fine for floppies. Of course, this assumes your doing this on a clean system. If you try this on a system with a virus in memory, the virus would be more than capable of redirecting the read request, and what you see in the file may bear no relation to what is really on the disk. However, this will work fine with many non-stealth viruses, even if they are in memory at the time. In order to be sure, you should boot off a known clean floppy, though. HTH Mike. ------------------------------ Date: Thu, 09 May 1996 16:45:08 -0700 (PDT) From: 09-May-1996 1919 <"stc::stevens"@ampakz.enet.dec.com> Subject: Re: Virus in BIOS (PC) X-Digest: Volume 9 : Issue 67 >[Moderator's note: Two points: >1) Are you sure? Maybe this is a case of someone misreporting or not >understanding what they really found. Many BIOSes have a "virus >protection" feature that can be turned on/off--maybe it had been turned on >after the virus infected the HD.... Maybe this was deliberately >misreported to cover earlier incompetence on the part of the reporter?- >afterall, a -previous- employee isn't likely to be able to discredit a >current incumbent. Please supply details of date, place, reliable >reference, etc. >2) Even if your report is totally verifiable, what you report is -not- a >virus that resides in the BIOS. It would be a case of a human explicitly >modifying the environment (if not the virus itself) in such a way that the >virus itself could never achieve, so no replicants of that infection would >ever again reside in a PC's BIOS.] OK, I'll address point two first, its easier. I did not represent this as a virus that inserts itself into a BIOS or one that could do that on its own. Your previous statement: >>[Moderator's note: None of the AntiCMOS family, -nor- any other viruses, >>"reside" in a PC's CMOS or BIOS. I'll leave it to others who know this >>particular virus better to dispell the rest of myths here. >From the American Heritage Dictionary: reside 1. To live in a place; dwell. 2. To be inherently present. I'll leave definition 1 to the AI people. Assuming that the virus code is on the eprom, along with the BIOS code, definition 2 seems to apply in this case. Now on to your point two. The person who told this to me is the person who found the problem. I have known him for more than 30 years and I trust his word and judgement. But of course, you still have only my word on this, even if I supply dates, times etc. I don't understand the revelance of that request unless you intend to investigate this. Rather than address each of your scenarios about misreporting, I'll just supply you with his email address. That way, if you really want to verify this, you can. I spoke with him this evening, and he said that you could come and look at the pc yourself if you want to. The address is: keithstevens@kemet.com Kurt Stevens ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 67] *****************************************