VIRUS-L Digest Tuesday, 14 May 1996 Volume 9 : Issue 70 Today's Topics: Re: Internet Anti-virus Software Comparison Report?? Re: B1 on novell 2.2 server (NW) Re: Disinfecting from One-Half (PC) Re: Thunderbyte and zip or compressed files (PC) Slow Boot (PC) Re: Help to get rid of NATAS virus (PC) Re: Identification (not detection): Dr Solomons vs F-Prot (PC) Re: Thunderbyte and zip or compressed files (PC) Re: Please inform how to fix "readibios"(?) virus ? (PC) Who knows the "Parity Boot B" virus? (PC) Please help!! Infected with BRAIN!!! (PC) Virus (??) duplicates files with 11/07/95 time stamp? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sun, 12 May 1996 10:49:25 +0000 (GMT) From: Iolo Davidson Subject: Re: Internet Anti-virus Software Comparison Report?? X-Digest: Volume 9 : Issue 70 In article <0005.01I4MPK5C2EYSKXBI6@csc.canterbury.ac.nz> asgtech@riconnect.com "Andrew Gagarin" writes: > Andre Xavier wrote: > > > I'm trying to setup a internet and Intranet for my company and we are in > > the stage of searching a right Internet Anti-Virus solution for our > > network(You don't what will happen next to your network right!!?). > > > > Please... Anyone came across any comparison/report on internet Anti-virus > > software or solution. I'll be very greatful if you can let me know!! > > PC Magazine, May 1996 has a good comparison. It is probably available > online at pcmag.com Andy Gagarin Was this the review that thought that Dr. Solomon's couldn't do virus removal (when in fact it is one of the best removers)? - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Sun, 12 May 1996 11:30:39 +0000 (BUE) From: ruben@ralp.satlink.net Subject: Re: B1 on novell 2.2 server (NW) X-Digest: Volume 9 : Issue 70 Fri, 10 May 1996 17:28:11 +0000 (GMT) Bruce Burrell wrote ............ BB>Mr. Arias presents below what seems to me, from my relatively BB>NetWare-naive position, to be a good set of instructions for disinfecting BB>servers. I've snipped out the majority, leaving in only the parts that I BB>think need comment or clarification. First of all. Thanks for the corrections (grammar and others!) Bruce!. ;-) ^^^^^^^^^^^^^^^^^^^^^^^^^^ I'll try to explain the points and then correct my document. >[snip] RA>>The following is a procedure that I strongly recommend for all Novell RA>>administrators (as well advanced users). >[snip] RA>>- Disinfection of one workstation. RA>> RA>> Drivers and usual "shared" executable files may be placed in a BB> Change to "should be" or "must be" placed ... Agree!, Shared executable files MUST (obligation) be placed in a Clean_Write-protect_Bootable diskette.(First correction to document!) RA>>Clean_Write-protect_Bootable diskette in order to make a safe connection RA>>to the server. Example of this files are: RA>>Drivers: Lsl/Ne2000/Ipxodi/Vlm's. RA>>Other : Login.exe. RA>> - Disinfection of Server . RA>> a) DOS Partition. (Include Boot/Partition and DOS files) RA>> b) Novell Partition. (Include Files) RA>>Step 1) Backup Server (Always) <<-- [This is the most important thing!] BB>... *AFTER booting from a clean write-protected floppy. Otherwies, with BB>a fast infector active in memory, the tape backup may cause more files to BB>get infected. And if it happens to be an overwriting infector, the BB>backup will actually make matters much worse, since both the files on the BB>server and the images on the tape may be corrupted. [This may not be BB>the case when the backup is NLM-based, but why take chances?] When You setup a server, Novell create two partitions on HD. One DOS and other Novell. Usually DOS partition is about 7 to 15 Mb large. The size of partitions could be customized by the person who made the setup, depending on how many size will be needed for each partition. When machine is booted this DOS partition takes the control an then pass the control to SERVER.EXE (heart of a server), then all the *.nlm's are loaded. Over DOS You should check for virus: - Boot/Partition - Executable files (exe, com, ov?, dll, sys, etc) If a person do this could determine that the SERVER is free of viruses. I'm talking about memory and DOS (partition and files). Then We MUST check files in G, F, H, etc server drives in Novell partition. Why is not convenient disinfect something before a BACKUP ???? Because You NEED to save actual state of the server. Again, if something goes wrong with disinfection initial state could be reach. ^^^^^^^^^^^^^ (I suppose this will be added to my document) Procedure before BACKUP: ======================== Will be convenient to disinfect first a workstation. Then, look for infection in SERVER. (DOS partition and SERVER.exe) Once server is running, don't launch any executable of the server (this will avoid the load of any TSR virus or activate an overwriting or fast/slow infector one.) Launch BACKUP from workstation. Try to backup all. If You have no time backup only DATA (Worksheets, Doc's, projects, programming sources, etc), but then You must re-install all the aplications again. Then, countinue with steps for disinfection .... RA>>This is the best options for Boot sector viruses, if You use a RA>>TAPE backup, because Bootsector viruses (I don't mean multipartite!) could RA>>NOT spread on a tape. If You could NOT disinfect Server or something RA>>ruined in the middle, Always could reach the initial state. BB>Assuming the clean boot and uninfected support files (e.g., LSL et BB>al), I agree. Yes, of course! See above. RA>> Step 2) Backup ALL relevant Workstations data. (Worksheets, Documents, RA>> etc) (Software could be re-installed again but NOT data) BB>Once again, after the canonical clean floppy boot and clean NetWare BB>software load. RA>> Step 3) Disconnect all remote stations. RA>> You could do it just removing coaxial adapter or twisted pair RA>> connector from the rear CPU panel of the stations. BB>Is this necessary? And if so, wouldn't it be easier merely to BB>disconnect at the server end, rather than at each client? Yes, this is true. But You'll need the Server operative and don't need anybody tryng to connect to it. I had many cases here that users that really don't understand the must stop working. Of course You can perform a command over the Server that don't allow user conections anymore. But I prefer to use the server less than possible. RA>> Step 4) What do You need for Disinfection Procedure. >[snip] RA>> c) CMOS sequence of all Workstations (and server) may be setted to RA>> A: C:. B>And, after successful disinfection, Step 8) reset to "C: only" or "C: B>then A:"; if available, the former is preferred. I have at least two reasons to write this: 1) Many Workstations have no HD and must be booted from A:. 2) If the Boot diskette is Write_protected and never removed for the user it is safer that booting from C. Why ??, Because You ever boot clean and connect to Net CLEAN. RA>> Step 5) Disinfection: >[snip] RA>>The problems that will appear during disinfection coud be: RA>>Boot/Partition infection: The software will advise You if it RA>>could remove the virus from this areasor not. If You have any doubt 'just RA>>say NO'. This means that You'll need another product to do the job. RA>>File infection: It could be possible that the software don't RA>>disinfect or repair the affected file. Again, if You have any doubt about RA>>this just DELETE the infected file and restore the file from the original RA>>product. BB> Comments: BB> 1. It pays to use a product you can trust, so that it will disinfect BB> correctly. Without same, one probably should switch to something BB> more reliable. Yes I can trust .... but .... Suppose for a moment that You're tryng to disifect Server.exe file and the AV don't do it well. Why take the risk of an buggy file or false positives ?? (many AV don't do great jobs fixing infected files) By the other hand, if You have ORIGINAL files (and diskettes) of Novell software or "other" software. Why take the chance? BB> 2. If unsure, one could always try to infect a diskette, and see BB> whether the AV product can disinfect the floppy. No guarantee that BB> this has any transitive property, but if it *doesn't* disinfect BB> correctly, I'd certainly be pretty gunshy about how it might work on BB> the hard drive or server. I agree!!! BB> Thanks for posting the step-by-step, Ruben! No Bruce, thank You for correct and advices !!!!!!!!!! Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben M. Arias _ _ _ | ) |_| | |_) | \ | | |_ | E-Mail: Ruben@RALP.Satlink.net Buenos Aires - ARGENTINA RALP - Computer Security - Virus - ------------------------------------------------------------------------------ ------------------------------ Date: Sun, 12 May 1996 17:59:44 +0300 From: Zvi Netiv Subject: Re: Disinfecting from One-Half (PC) X-Digest: Volume 9 : Issue 70 At 12:09 AM 12/5/96 -0400, Richard Cressman-Salesian Boys and Girls Club wrote: > Thank you beyond what I can tell for your post. I have been having > increasing trouble with our computers since towards the end of last year. > Just recently I loaded the McAfee AV and it detected the one half but would > not cure it. I went to the comp.virus (my 1st time there) and saw your post. > I downloaded the cure program but was leary because my pkunzip was also > infected. However, it unzipped OK, cured the pkunzip, and even itself after > it became infected. I have disinfected about a dozen computers. The usual problem users have when facing problems with the first "real" virus is where to begin from. One-Half is tricky because it's multipartite, a fast infector, stealth and of top of all these, it has a nasty habit to encrypt a couple of cylinders every time you boot. > I intend to write up a history of the devlopment of the symptoms. The first > one was a hang up with certain programs. The computer would not even reboot. > Later, I would get the message, Program is too large to fit the memory (or > something like that). The most curious thing,is that one computer had gotten > so bad that I reformatted the disk and reloaded it. By now you realize that formatting was a waste of time as One-Half manipulates the MBR as well. Formatting without FDISK'ing didn't touch One-Half's overlay. If you had InVircible's ResQdisk then you could see through the virus stealthing how it's done. Watch the MBR and it will tell you there is stealthing active, switch SeeThru ON and browse track 0. You will see a whole sequence of code (the virus boot overlay) occupying the last sectors, in one of them you can read "Dis is One Half" [sic]. Formatting with One-Half in the MBR actually created a much more serious problem. I'll explain. Every time you boot from the hd, the virus encrypts a couple of cylinders from the top down, and updates the pointer of the decryptor, kept in the MBR. Suppose now that you already had 200 cylinders encrypted and reformatted the drive from external DOS, I suppose and reloaded software. If the virus was inactive when reloading data to the hard drive then everything that was written into the encrypted zone will be "decrypted" when the virus is active (when booting from the hd), actually encrypting that data. If you had InVircible installed on your drives, then your problem wouldn't had deteriorated that far as on first booting with One-Half, IV warns you that the MBR is stealthed, and it ain't Ontrack's DDO. :-) Still not to late. IV is available from any site in my sig. The new version has now generic Word macro malware scanning and REMOVAL. >However, it would not > boot from the hard disk, only from the floppy. I applied the disinfecting > program today, but after running, it did not reboot as the others had done. > (Actually the virus was not in the memory, only in the partition table.) > Anyway on rebooting I lost access to the hard disk even though the setup > said it was there. From previous experience, I figured I lost the partition > table. I was able to restore it, but got directory errors, which showed up > especially in Norton NDD. I decided to encrypt it to see what happened, but > when I used the /e switch, it DEENCRYPTED again. (I had, of course recorded > the numbers). After that, the computer worked fine: Directories OK and > booted from the hard disk. Read above the explanation to what happened. > When I finish a complete account of the development of the symptoms, would > it be appropriate to post them to the newsgroup? to send them to SAC? to > send them to anyone else? As I mentioned above, there seems to be a residual > harware problem which is not removed by reformatting. This could be > significant, if not already reported. A wrap up post to the newsgroup is considerate, especially if it tells others how to stay away from trouble or solving problems others may have too. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Sun, 12 May 1996 17:55 +0000 From: Graham Cluley Subject: Re: Thunderbyte and zip or compressed files (PC) X-Digest: Volume 9 : Issue 70 keith@command-bbs.com (Keith Peer) writes: > As far as I know ThunderBYTE cannot virus scan within archives. You > may be interested in *other* antivirus products for this feature. > AntiViral Toolkit Pro supports ZIP, ARJ, RAR LHA, ICE and LZH > archives and can virus scan within multiple layers and mixed > archive types. You can get a evaluation from the WEB, FTP and > BBS below in signature. > > I think Dr. Solomon's as well supports archives but I do not know to > what extent. Yes, we can also recursively scan inside different archive formats (eg. a PKLITE'd virus inside a ZIP inside an LZH inside an ARJ). We support the following formats: ZIP, ZIP2EXE, LZH/LHA, ARC, ARJ, PKLite, LZExe, ICE, Diet, CryptCOM and Microsoft Expand (sometimes called Microsoft Compress). One of the nice things about our implementation is that it doesn't write a single byte to your hard disk, and can easily handle, say, a 4000MB zip file. Secure Computing did some tests of scanners' ability to scan inside compressed and archived files. The results can be found at http://www.drsolomon.com/avtk/reviews It seems Dr Solomon's and AVP are leading all the other products in this area. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Sun, 12 May 1996 14:54:09 -0700 From: Richard Willson Subject: Slow Boot (PC) X-Digest: Volume 9 : Issue 70 Now, although I have a relatively fast computer, 90MHz, my computer seems to take progresively longer to boot up. When I first got the computer last July, it just seemed to zip along faster than I've ever seen, but compared to that it takes a bit longer to boot up! Mind you, it still is going fast, I am only using Windows 3.11, and have 32MB RAM, but I think I might have only of those viruses that make the computer slow down just a bit every time you boot up. It may just be the fact that although I defragment my hard drive regularly, it may be putting the files in different spots or something (meaning I would only have to backup my files, wipe the drive, then put them back on). I don't really care what's causing it, just as long as I know what it is, and what I can DO about it. So far it is not critical, I was hoping to fix it BEFORE it became a problem. Any ideas of what viruses ect.. might cause this, and what programs ect... I'd have to get or do to remedy this situation? Any help is much appreciated! - - Richard "Titanes" Willson Internet Address: rwillson@netinc.ca ------------------------------ Date: Sun, 12 May 1996 19:23:49 +0000 (GMT) From: Jolyn Skinner Subject: Re: Help to get rid of NATAS virus (PC) X-Digest: Volume 9 : Issue 70 That virus came on the disks used to setup my computer. The first time the folks that sold me the computer replaced the hard drive. Second time, they would have replaced the hard drive, but I took it to someone and they got the hard drive back up - think they used Norton, but lost some files, includeing my CD drivers. Two months later - I was replacing the CD and not knowing that Natas was on my setup disk - reinfected the machine. The tech that tried to recover the hard drive used McAfee this time, but didn't do it. I got desperate - and tired of risking my hard drive - did some reading - Ended up getting IBM Anti Virus software - $29 at Best Buy. It could have been on sale. I used the dos verson. Comes with dos, windows, and windows 95 in the box. And, I didn't lose a single file. Jolyn ------------------------------ Date: Sun, 12 May 1996 10:46:17 -0400 (EDT) From: "Bruce P. Burrell" Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC) X-Digest: Volume 9 : Issue 70 Iolo Davidson (iolo@mist.demon.co.uk) wrote: > In article <0034.01I4EQ0GUE9QSKVUM0@csc.canterbury.ac.nz> > bpb@umich.edu "Bruce P. Burrell" writes: > > > > And when/if it does get turned off, that is in itself an > > > indication that you are no longer in the hands of a "user". This > > > only happens in practice when being run by at least an > > > experimentalist. You never get a complaint from a user about > > > this. It won't happen to him. > > > > I'm certainly willing to defer about whether this is the case right > > now, but it doesn't strike me as an altogether unlikely possibility for > > the future. A BSI or two, a file infector, and a bunch of different Word > > Macro viruses. I'll leave [snip]'s cherished Cornucopia out the argument. > > If the real world ever gets so dirty that ordinary users harbour > more than ten viruses at a time, then the number required to drop > the precise identification can easily be bumped up to twenty or > whatever. If S&S makes that change, the documentation will have to be modified to account for it, correct? Fix the onscreen/logfile message, and be done with it. > > > Experimenters and performance testers are a different deal, and > > > in their case, the designers have apparently taken the view that > > > precise identification is secondary to to the scanning speed > > > issue. There is a switch for the clued up ones to force precise > > > identification if they want it. The clueless ones are just the > > > people who will make the mistake of doing their speed tests on a > > > virus collection, so I think the designers made the right > > > decision. > > > > Is it your position that you should make a product look as bad as > > possible to the clueless reviewer? That's not a loaded question; I can > > see that perhaps it might help to discredit future work by that > > individual. Nonetheless, I would think it a better strategy both to be, > > and to appear to be, better than the competition, regardless of the > > competence of the reviewing party. > > Missed the point. Nope. It was perhaps a tangential question, but the point is clear in my mind. > The trade off is precise identification > against speed. Clueless reviewers may or may not notice the > precision (probably not, since other products being compared > won't have it, and the reported virus names won't match between > many products anyway), but the difference in speed if precise > identification is left on will be noticed. It's a judgement > call, and the designers have made the right choice in my view. Sure, it's a judgement call about switching to a fast scan; I agree with that. It's also a judgement call about allowing unclear descriptions to remain in a product; if S&S don't modify this before the next manual revision, they will have made the wrong choice in my view. > > > You can never get the wording "right" for everyone. The wording > > > is however correct. If people look in the manual, the issues are > > > explained. You could have the program print whole pages from > > > the manual for every virus reported and it still wouldn't be > > > "right" because people wouldn't read it or would be confused by > > > it. They don't even read the four word reports that *are* > > > printed. > > > > Apparently someone somewhere read the report; that's why the complaint > > was lodged in the first place. > > Not by a user, but by someone scanning a collection. This > feature does not affect users at all. Sure it affects users. In fact, it probably affects the very ones who are making purchase decisions: if I use a particular AV product that is unable for an extended period of time to deal with a virus common at my site, I will search for a product that can handle it. Moreover, I will be certain to ascertain that it also handles other viruses we encounter regularly. What might I or someone else in this situation do? Certainly I'd check the independent reviews, but I'd also test first-hand that the product can detect and remove properly those viruses we know and loathe. How would I do that? I'd probably put all the viruses on a diskette and let the scanner have at it. For BSIs, perhaps I'd make a binary image and use, with DSAV /!DOBOOTS or whatever the switch is; the point is that it would be reasonable to assume that a large institution would have little trouble finding ten or more viruses to test. What happens? All products but DSAV might identify those viruses in a way that I consider "accurate", while DSAV reports in what appears a vague manner. So DSAV loses points in that aspect. Assuming that I don't reject the product at that point, I suspect its accurate disinfection will raise its stature sufficiently that it may win the evaluation. But why put it in a hole to start? Note that S&S personnel have recommended the test against "known viruses", so this is not a hypothetical. Also, with the benefit of this thread, I would know better than to reject DSAV based on the result. Can you say that of the average evaluator? No. Can S&S afford to take that chance? Sure, but to what benefit to them or the potential customer? > > > You don't think that any software company lets programmers decide > > > this stuff do you? > > > > For companies that value excellence? Sure do, though perhaps not ones > > on the scale of S&S. Still, I bet the prestige of some of the programmers > > there might able to get such a change designated Priority One (not that > > this particular issue deserves it). [Hmm. Maybe not 'decide', but > > certainly 'influence'.] > > I have actually worked in the company concerned, and can assure > you that it is not a straightforward as you believe. Even Dr. > Solomon couldn't always get what he wanted done. What happens in > a big company is that you get fifteen people with the power to > say "stop" and no one with the power to say "go with it". Noted. But my comment wasn't about S&S, it was (originally) about the time to effect the actual change in the code. That remains trivial; frankly, I don't care about the internal workings of any company. I just want clear, accurate docs and effective code. > > > What happens about the printed manuals? > > > > Easy; a README.1ST file could take care of the manual until its next > > reprint. This is not exactly an industry innovation. > > Another thing that people don't read. I've been through this > manual writing stuff, you know. I think my name is still in the > cast list of the current Toolkit manual, though I haven't worked > on it for years. The point isn't whether it is read; it is whether the information is provided in a clear manner *somewhere*. Some of us -do- read the manual, by the way; of course, a company is probably less likely to get tech support calls from those folks. > At one time, the manual was loose-leaf, with extra pages sent out > with the updates. That doesn't work very well either, unless you > actually replace existing pages with new ones (and that only > works if customers actually do the page changes). Addenda don't > get read. > > Yes, it is *easy* to add a readme file, but it isn't effective. Perhaps, but tech support can point to it in any event. One can't make the user read the docs; one can't make the user install the software. So what? One still tries to make the best product and the best docs possible, no? > > > What happens about the scripts that people run to analyse logs? The > > > tiniest change in any of the report wording brings existing customers, > > > especially the corporate support personnel, down on you like an air > > > strike. > > > > You can't have it both ways. Since this never happens to "real users", > > no user will have a script that needs to be changed. Or it *does* happen, > > on a corporate server, perhaps, in which case your claim that the message > > never occurs to "real users" is invalid. Which one will you have us > > believe? > > Explain that to the people who make such decisions. I hold that > real users won't come across this feature. The decision makers > would answer that it doesn't need changing then. See above for a real world example of where this happens. > There are other > undocumented features used in house for testing and other > purposes, you know. There is a really convenient feature in > VirusGuard which can be used when testing which S&S tell NO ONE > about, even when asked for it specifically. So what? I don't care about things I can't possibly encounter; I expect clarity and full disclosure in the things I will, and hope for the same in the things I might. > > > Report wording is one of the *hardest* things to get changed. > > > > All the more reason to get it right the first time. But when it > > isn't, fix it as soon as possible, assuming you believe that it merits > > improvement. > > Two things there. I say it doesn't need changing, and it seems > S&S don't think it needs it either. But that is beside the > other point you were making about how any programmer could insert > the wording of *your* choice in seconds. That isn't so, for the > simple reason that programmers are not allowed to make that kind > of design decision. They are allowed to file "change request" > forms. S&S implementation detail; my comment was about how long it would take to do. I think it's great that changes aren't just made willy-nilly; the point remains that if a change in the text is implemented, it will be extremely quick to effect. > > It's details like this that make the good documentation > > very good, and the very good, excellent. Shouldn't the > > quality of the documentation match that of the software? > > Features effecting only testers and experimenters need not be > documented at all. Look at the fuss the discovery of this very > unimportant feature has raised in here. Perhaps we'll just have to agree to disagree, then. It's really an issue between S&S and its users (potential or current), not between you and me. > Another one we see a lot is the "boot sector viruses in image > files" thing, when someone claims that Dr. Solomon's cannot > detect common boot sector viruses because they are testing a > collection of image files. Why would that issue, or the > /!doboots switch, be documented in the distribution manual? It > isn't a secret, and S&S do give the info out to testers, but > putting it in the user distibution would just cause trouble. Incompetent testing, I agree. > > In either case, it's a loss for S&S. > > Not in the judgement of S&S, apparently. Actually, S&S has stated at least some interest in the issue; I've been cc'ed in a message about it. They may not decide to make a change, of course, but as usual, they appear to be receptive to customer input. BTW: I notice that you have snipped my counter to your assertion that I could be sequestered in a room with several other [rational -- my requirement -BPB] folks, and that we could not generate better wording in a reasonable length of time. I take this to mean that you accept that we could, indeed, do a better job. I suspect that S&S can do a better job in this regard, too, and that they will. -BPB ------------------------------ Date: Sun, 12 May 1996 21:57:09 -0400 From: Computer Virus Help Desk Subject: Re: Thunderbyte and zip or compressed files (PC) X-Digest: Volume 9 : Issue 70 On Sat, 11 May 1996 19:20:00 -0500 (EST); Keith Peer Wrote >As far as I know ThunderBYTE cannot virus scan within archives. You may be >interested in *other* antivirus products for this feature. AntiViral >Toolkit Pro supports ZIP, ARJ, RAR LHA, ICE and LZH archives and can virus >scan within multiple layers and mixed archive types. You can get a >evaluation from the WEB, FTP and BBS below in signature. > >I think Dr. Solomon's as well supports archives but I do not know to what >extent. *OR* you could use a product called THDPRO (current version THD_12_3.EXE) which allows you to safely open ANY type of compression program and configure an almost unlimited number of scanners to scan inside the archives including nested files. Allen Taylor, Moderator, VIRUS_INFO SysOp, Computer Virus Research Center BBS Indianapolis, Indiana, USA (317) 887-9568 http://www.a1.com/cvhd ------------------------------ Date: Sun, 12 May 1996 22:43:46 -0500 (CDT) From: Russell Smith Subject: Re: Please inform how to fix "readibios"(?) virus ? (PC) X-Digest: Volume 9 : Issue 70 Lee Suk-Jae writes: > It'll be highly appreciated if someone inform this virus to me ? Possibly you have the false report as described by FPROT in their WEB file: Linkname: Data Fellows Ltd's Virus Information Pages URL: http://www.DataFellows.com/v-descs/radiosys.htm NAME: Radiosys ALIAS: Readiosys There is no virus known to F-PROT by this name. However, there is a well-known false positive on 'Readiosys' by Intels and Trends antivirus products on some boot sectors - usually these boot sectors have been slightly corrupted by Anticmos virus but are not actually infected. If F-PROT doesn't complain about 'Radiosys-infected' boot sectors, ignore the warning and get an update to your Intel/Trend scanner. You can 'fix' the boot sectors and get rid of the false alarm by running F-PROT's FIXBOOT to the floppy. Copyright © Data Fellows Ltd's F-PROT Professional development & support Later, Russell Smith rssmith@tenet.edu rssmith@camalott.com Region 14 ESC Abilene, Tx Edtech Consultant, Certified teacher, Journalist ------------------------------ Date: Mon, 13 May 1996 10:52:38 +0200 From: Gangolf Mittelhaeusser Subject: Who knows the "Parity Boot B" virus? (PC) X-Digest: Volume 9 : Issue 70 I have got the above virus on my PC with Windows95. After a format of the hard drive and a new installation I have at least one file (shudlog) that is still infected. Has anyone experience with that virus? I don't know how it could survive the formating and don't feel really save now. - ---------------------------+------------------------------------- Gangolf Mittelhaeusser | e-mail: gangolf@informatik.uni-kl.de - ----------------------------------------------------------------- [Moderator's note: That file is not "infected"--it contains an image of your pre-Win95 MBR, so is likely to contain a copy of the virus if your PC was infected before installing Win95.] ------------------------------ Date: Mon, 13 May 1996 10:02:01 +0000 (GMT) From: TEO WEI LING Subject: Please help!! Infected with BRAIN!!! (PC) X-Digest: Volume 9 : Issue 70 Please help!!! My computer is infected with BRAIN!! Please tell me how I should go about getting rid of it and what the effects of the virus are!!! many thanks!!!!!!!!!! Grace. ------------------------------ Date: Mon, 13 May 1996 12:53:58 +0100 From: Alexander Stanton Subject: Virus (??) duplicates files with 11/07/95 time stamp? (PC) X-Digest: Volume 9 : Issue 70 I seem to be loosing lots of diskspace because something is copying files I use to the windows directory with a time stamp of 11/07/95 (which happenes to be the date most windows files have). Norton and Fprot don't detect anything. Does anyone know what this is? Is there a searchable database anywhere for virus descriptions? Since I don't have the name, It's hard to find out what is happeneing. Thanks. alexander Stanton as7@ee.ic.ac.uk ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 70] *****************************************