VIRUS-L Digest Friday, 17 May 1996 Volume 9 : Issue 72 Today's Topics: Re: If you really are AV. Re: Identifying False Positives More False Alarms in TBAV Dr Solomon's Virus Stats (April 1996) RE: How to select an anti-virus product? RE: Final decision Re: How to select an anti-virus product? Re: Is virus writing illegal? Re: Is virus writing illegal? Re: Is virus writing illegal? Re: How to select an anti-virus product? Thoughts on providing support (was: Re: If you really are AV.) Re: Word Macro Virus cleaner wanted Re: NLM - Anti-Virus (NW) Re: Writing to Win95 MBR? (WIN95) NAV95 Rescue Disk problems (WIN95) TPE (2) Virus (WIN95) I want info re Star One virus (PC) Re: F-prot's Virstop (PC) running antivirals on infected PC's (PC) Re: Help needed with Burglar virus!!! (PC) Re: EXEBUG VIRUS (PC) Re: Tremor help (PC) Re: F-prot's Virstop (PC) Re: Please help!! Infected with BRAIN!!! (PC) Re: F-prot's Virstop (PC) Re: false alarms? (PC) Re: EXEBUG (PC) Re: Major Floppy/Boot Problem - Out of ideas! (PC) Poorly-worded message in BIOS (was: Re: Virus in BIOS) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 15 May 1996 13:48:00 +0000 (GMT) From: David Harley Subject: Re: If you really are AV. X-Digest: Volume 9 : Issue 72 Holt Sorenson (hs@grafton.dixie.edu) wrote: : Virus Databases : http://www.datafellows.com/vir-info/> Data Fellows Virus Database : http://www.symantec.com/avcenter/vinfodb.html> Symantec Virus Database : http://www.drsolomon.com/vircen/enc> Dr. Solomon's Database : http://www.mcafee.com/support/techdocs/vinfo/#top> McAfee Virus Database : also ftp://mcafee.com/pub/3rdparty/vsumx603.zip Also: The AVP database: http://www.datarescue.com/avpbase/ NB VSUM is not universally admired for its accuracy. - - David Harley Support & Security Analyst Imperial Cancer Research Fund ------------------------------ Date: Wed, 15 May 1996 10:01:18 -0400 (EDT) From: "A. Padgett Peterson P.E. Information Security" Subject: Re: Identifying False Positives X-Digest: Volume 9 : Issue 72 In <0012.01I4K4FQHQT4SKXBI6@csc.canterbury.ac.nz> JMCarlini writes: >Is there any accurate way to tell a false positive from a REAL virus? Frisk responded: >Disassemble and analyse it. > >If you settle for less than 100% accuracy, there are several rules of >thumb you can employ, like: ... I found a long time ago that some other tests work well. For instance if you just received a new scanner and a program you have been using for years is suddenly reported infected, I would suspect the new program. Second, all MBR and boot sector viruses I have seen have the same indicator: DOS no longer has 640k of memory. I wrote a program waaay back in 1989 (CHKMEM) to test this & wrote a paper a year later on the subject (6 Bytes) - the Virus Bulletin reviewed the paper and rated it as a "slightly flawed" commercial product. Flawed commercially I will agree - it is freeware. Is based on the fact that most successful viruses go resident and at boot time (while the PC is in "real" mode), the only safe RAM available is at the Top of Memory (TOM) and anything that goes resident there will be overwritten unless it allocates memory & that allocation is always detectable. Further, many .EXE infectors also go resident at the TOM except they allocate memory from the MCB (first I recall was the 4096, most recent is Burglar). This creates a mismatch between BIOS memory size and DOS memory size which is also detectable (had to update this check in CHKMEM in 1991 when DOS 5.0 came out. DOS can't add.) So, for me, when a virus is reported, the first thing I do is to check the memory allocations & TSRs on the "infected" machine. Often the true situation is obvious. Warmly, Padgett ps CHKMEM may be found in the FixUtilities (fix6.zip in the virus directory on SimTel mirrors). Probably should update sometime but have not really seen any need. ------------------------------ Date: Wed, 15 May 1996 09:22 +0000 (GMT) From: CLAYTON E RUTH Subject: More False Alarms in TBAV X-Digest: Volume 9 : Issue 72 This is a follow-up to my previous message (Re: False Alarms in TBAV for Windows 95). I have discovered a situation that can produce false alarms in TBAV for DOS, version 7.01. If a very small, uninfected .COM file is scanned following a larger infected file, TBScan may falsely report that the tiny .COM file contains an unknown virus. Apparently the input buffer isn't cleared between files, and the scanner checks more bytes than were actually read from the tiny file. If the slack area contains part of a virus, it may raise enough heuristic flags to trigger a false alarm. When the same file is scanned separately, it is found to be clean. I have reported this problem and the Win95 CRC mismatch to TBAV technical support. Clay Ruth PC Configuration Manager / Senior Lead Systems Software Analyst Sargent & Lundy, L.L.C., Chicago, IL Clayton.E.Ruth@SLChicago.Infonet.com ------------------------------ Date: Wed, 15 May 1996 17:46 +0000 From: Graham Cluley Subject: Dr Solomon's Virus Stats (April 1996) X-Digest: Volume 9 : Issue 72 Here are some statistics from the United Kingdom technical support department of S&S International (developers of Dr Solomon's Anti-Virus Toolkit). These stats are for general interest and should not be treated as gospel regarding which viruses are causing the largest problem (for example, many corporate users dealing with Form, for example, will not need to call us up for hand-holding and advice) Concept 17 Empire.Monkey 12 Anticmos 10 Antiexe 9 Form 9 Exebug 8 Parity.b 8 Ripper 7 Telefonica 6 Sampo 4 Feint 3 NYB 3 Quandary 3 Shehas 3 Vsign 3 Angelina 2 BootEXE 2 Junki 2 Manzon 2 Swiss 2 B1 1 Barrotes.1310 1 Beijing 1 ByeBye 1 Diskwasher 1 Delight 1 J&M 1 Jumper 1 Stealthboot 1 Stonehenge 1 Taipan 1 Tentacle 1 Unashamed 1 Imposter 1 Colors 1 These figures are only for the UK. They do not include data from our offices in the USA, Germany, or our distributors worldwide. Furthermore, the researchers in our virus lab received "lab disks" from customers containing the following viruses: AreThree 1 Boot.437 1 CatScratchFever.558 1 Clisti.1025 1 Concept 9 Cordobes.3334 1 Deadwin.1228 1 Diehard 1 Form.y 1 Grangrave.1150 1 Imposter 2 Junkie.1027 1 Junkie.1308 1 Khobar 1 Konkoor.3072 1 KorWan.1448 1 LZR 1 Nado.841 1 Natas.4744.a 2 Nightfall.4518.a 1 NoFrills.843 1 Pretentious.680 1 StayCool.543 1 SVCb 1 Tanpro.524 1 Treblinka.1480 1 Trojector.1561 1 Werewolf.1500.b 2 YankeeDoodle.2881 2 Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 15 May 1996 17:46 +0000 From: Graham Cluley Subject: RE: How to select an anti-virus product? X-Digest: Volume 9 : Issue 72 Donald Heering writes: > I had no idea about the plethora of anti-virus utilities available on > the market... Which one should I use? What I'd like is a product that > can monitor file access in the background (running Win '95 ), like TBAV > and McAfee do. Dr Solomon's Anti-Virus Toolkit can do that too. We have a 32-bit VxD called Dr Solomon's WinGuard included in the Toolkit for precisely that purpose. Some anti-virus products don't have a VxD in their Win95 version (or don't detect the same number of viruses as their DOS command-line version). > And of course it should be able to detect (and clean, if > possible) as many viruses as possible. Yup, Dr Solomon's Anti-Virus Toolkit can do that. > Does one product suffice, or is it better to use more than one? > > Any input is welcome. You'll find some independent comparative reviews of anti-virus software at http://www.drsolomon.com/avtk/reviews as well as links to other anti-virus resources on the web. I would strongly recommend taking a look at them before making a decision. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 15 May 1996 18:14 +0000 From: Graham Cluley Subject: RE: Final decision X-Digest: Volume 9 : Issue 72 C0SYS0P writes: > F-Prot, Dr. Sol, McAfee > > Which is the Best or two best AV's around for scanning. Well, of the three you mention F-Prot and Dr Solomon's are the two best. You can probably guess which I think is better out of F-Prot and Dr Solomon's.. :-) > ... for use as a TSR The University of Tampere have conducted tests as to the detection rates of different anti-virus TSRs. You can read their findings on their website http://www.uta.fi/laitokset/virus/ or on ours at http://www.drsolomon.com/avtk/reviews > ... for cleaning Again, independent comparative reviews can be found on the Dr Solomon's URL mentioned above. > ....I assist in running a DOOM BBS and need to know which one(s) to > implement. What should we choose......We have been running this BBS for > some time but are now going to get really serious on an Antivirus > program. > We are getting more and more files (all types) and would like to assure > our players that they WILL NOT BECOME INFECTED through us. Luckily not > one has gotten a virus from our file libraries yet! That's good. > Any suggestions? Both F-Prot and Dr Solomon's are fine products. One of the reasons why you might decide upon Dr Solomon's is its support for compressed and archived files. Dr Solomon's Anti-Virus Toolkit can scan *recursively* (ie. ZIP within ZIP within ARJ) within a number of different compression formats (ZIP, ZIP2EXE, ARJ, ARC, ICE, DIET, PKLITE, LZEXE, CRYPTCOM, MS EXPAND) without writing a single byte to the hard disk. Furthermore it is capable of using its heuristics inside compressed files to detect new and unknown viruses without a false alarm problem. This should be extremely useful to you when screening files before making them available. You can read more about our compression support and award-winning advanced heuristic analysis on our website. BTW, it strikes me that you are in a scenario where a "generic" anti-virus product would certainly not be useful. Those anti-virus products which rely on viruses to change other files or system resources are going to be less than effective when all you are doing is making files available for other users to download. > Should we shut downt the BBS and this way we can be 100% safe :) ? That would make you 100% safe, but it wouldn't be any fun. BBSes are meant to be fun. That's one of the major shames about viruses, they've made computing less enjoyable. > Well thanks in advanced for any input you may have for me. I'm planning > to pay as much as possible but, not something that is unreasonable > ($ 250 tops). Am I being reasonable? Nope - Dr Solomon's costs a lot less than that. You can download an evaluation version of Dr Solomon's FindVirus (part of the full commercial Toolkit) from our website, or GO VIRUS in AOL. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 15 May 1996 20:02:55 +0000 (GMT) From: Robert Michael Slade Subject: Re: How to select an anti-virus product? X-Digest: Volume 9 : Issue 72 Donald Heering (dheering@xs4all.nl) wrote: : I had no idea about the plethora of anti-virus utilities available on And I don't imagine you've seen the half of it :-) : the market... Which one should I use? What I'd like is a product that : can monitor file access in the background (running Win '95 ), like TBAV OK, quick overview. Three typees of antivirals: activity monitors, scanners and change detectors. Activity monitors look for suspect or virus like activity and run resident (in the background). TBAV has one, but McAfee (unless they slipped in a module while I wasn't looking) usually does "resident scanning". Scanners look for signatures of specific viral programs. They come in manual (you use it yourself) and resident (it runs in the background) flavours. Change detectors test for the types of changes that a virus *must* make to the system in order to work. : and McAfee do. And of course it should be able to detect (and clean, if : possible) as many viruses as possible. Does one product suffice, or is The numbers game (how many viruses does it detect/clean) is only one palyed in the scanner arena. This is because, in theory, activity monitors and change detection software can catch *any* virus. In reality, there is a trade off between catching viruses and sending out false alarms about normal operations and changes. The numbers game is a stupid measure of antivirals in more ways than one. It doesn't matter if the scanner detects "x thousand" viruses like Boza, which doesn't exist in the wild. You need to be able to catch the ones you are most likely to run into, and they only number in the tens. (Having said that, however, I should also say that the antivirals which do *really* catch the most viruses, like F-PROT, Dr. Solomon's, VET, and so forth, also have the best design. Go figure.) : it better to use more than one? Yes. We *always* suggest using more than one scanner: this helps when people say things like "I have the GenB virus, how do I get rid of it?" (GenB is McAfee-ese for "something is wrong with your boot sector, but we don't know what.") One scanner may have an idiosyncratic name for something: two are more likely to hit on one of the standards. Three are likely to be able to "vote" on whether a given report is a false positive or not. You can get some information for comparing antivirals from my book (I review a ton of them) or from the sites below. ====================== roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca Virtual reality is for those who can't handle the command line Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) ============= for back issues: AV contacts list: ftp://cs.ucr.edu/pub/virus-l/docs/reviews or The Cage Antiviral reviews: ftp://cs.ucr.edu/pub/virus-l/docs/reviews/pc or The Cage telnet://freenet.victoria.bc.ca (command "go virus") http://csrc.ncsl.nist.gov/virus/virrevws/ Viral Morality: http://www.bethel.edu/Ideas/virethic.html Book reviews: telnet://freenet.victoria.bc.ca (command "go tbooks") ftp://x2ftp.oulu.fi/pub/books/slade http://mag.mechnet.com/mne/books/reviews/slade/ gopher://gopher.technical.powells.portland.or.us:70 http://www.utexas.edu/computer/vcl/bkreviews.html RobertS Rules of Internet: http://www.brandonu.ca/~ennsnr/Resources/order.html ------------------------------ Date: Wed, 15 May 1996 18:54:00 +0000 (GMT) From: Iolo Davidson Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 72 In article <0008.01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz> eriko@phoenix.net writes: > Speaking of which, what legally defines a virus? Christopher Pile, who wrote and released viruses and was sent to jail for 18 months for doing so, was not charged under any law containing the word "virus", so no definition was necessary. He was charged with "unauthorised modification" of data on computers he was not authorised to access or modify, and inciting others to do the same. That is how much of the relevant legislation is phrased. You can find many countries' laws at Dr. Solomon's personal web site: (http://www.ibmpcug.co.uk/~drsolly). - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Wed, 15 May 1996 23:32:16 +0100 From: "B.MacDonald" Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 72 In article <0008.01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz>, eriko@phoenix.net writes >Speaking of which, what legally defines a virus? > In what country? According to Dr Solomon's "Virus Encyclopedia", a virus is simply 'a programme that copies itself', presumably without permission. - - B.MacDonald, Northwood, Middlesex, UK E-mail burns@nthwd.demon.co.uk or burns@dircon.co.uk ------------------------------ Date: Wed, 15 May 1996 23:28:03 +0100 From: "B.MacDonald" Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 72 In article <0003.01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz>, Mike McCarty writes >In article <0013.01I4LK6P5J06SKXBI6@csc.canterbury.ac.nz>, >B.MacDonald wrote: > >)In article <0009.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz>, James Coulter >) writes > >[stuff cut] > >)> My point is, virus writing is a form of programming. It should >)>not be illegal even if a NON-DESTRUCTIVE virus is released. Those authors >)>of DESTRUCTIVE viruses, however, should be prosecuted as they have done >)>harm to your private property. >)> >)>PS: To date, not a single one of my viruses has had destructive code or >)>even been released into the "wild". I think of them as trophies of >)>accomplishement. > >[more cut] > >)First, by infecting my system with your virus you have commited virtual >)trespass. > >He said his viruses are not in the wild. If I read him properly, his >virus is not, and never will be, on your machine without you knowing it >and deliberately putting it there yourself. > >[stuff cut] > >)Secondly, the deliberate dissemination of a virus is irresponsible. > >Also irrelevant. His viruses aren't in the wild, remember? > >)No, I don't think writing viruses is a good hobby, James. I know you >)have said that you have not released any viruses, but perhaps there is a >)more constructive outlet for your talents. Have you thought of getting a >)job countering viruses (ie, switch to the other side of the chess >)board)... or taking up gardening? > >I don't think that virus writing is "better" or "worse" than any other >kind of program writing. It's actually a little bit boring once one has >done it one time. > Well Mike, You missed a couple of points, first you obviously formatted the first part of your response before you read all the way through mine... I, in fact, acknowledge that the writer had not released any viruses. However the discussion concerned the ethics of virus writing generally (that is the thread after all) - not how boring or not it is. If your neighbor had taken up amateur bomb-making would you not be concerned, even if he affirms that he never really intends to plant them anywhere? My point is (please pay attention this time) that virus-writing is not a particularly constructive pastime and, if you don't intend to release them, why bother at all? It's also worth noting that from the very start viruses which were never meant to be released have "escaped into the wild" (eg; Jerusalem & Virus-B). I think there is a pretty widespread consensus that computer viruses is something we all (ie, the world) can do without, for any reason. - - B.MacDonald, Northwood, Middlesex, UK E-mail burns@nthwd.demon.co.uk or burns@dircon.co.uk ------------------------------ Date: Wed, 15 May 1996 22:11:28 -0300 (ADT) From: Danny Burke Subject: Re: How to select an anti-virus product? X-Digest: Volume 9 : Issue 72 Donald Heering wrote in digest Volume 9 : Issue 71 >I had no idea about the plethora of anti-virus utilities available on >the market... Which one should I use? What I'd like is a product that >can monitor file access in the background (running Win '95 ), like TBAV >and McAfee do. And of course it should be able to detect (and clean, if >possible) as many viruses as possible. Does one product suffice, or is >it better to use more than one? If you're like me (an average user with a bit of knowledge...but definitely no expert) here is what I do: I scan every program I download as well as every disk I use on my system with 3 different scanners (currently F-Prot, AVP and McAfee's). I intend trying Dr. Solomon's soon as I hear good things about it). I also use a data integrity program (Integrity Master...which I like so much I intend registering) and also have F-Prot's Viruscan running in the background as a TSR. A lot of the AV experts say there's no need for a TSR program but my son uses the system also and I must admit I do occassionally forget to scan the odd disk myself so feel much better with it running. Viruscan over the last two years has stopped the following 5 viruses from getting on my system from disks that either friends or my son tried to use: AntiExe, AntiCmos, Stoned.Empire.Monkey.B, Stoned.Standard and Junkie. My scanners also stopped Whisper from getting on my system. This was in a BBS executable listing produced by a local sysop who was using an outdated scanner. I also found the Stoned.Standard on a 5 1/4 install diskette from an old game of Terminator a friend gave my son. So as you see they can strike from anywhere. This setup I have might be overkill but it works for me and does not take up (in my personal opinion) an inordinate amount of time or resources so I am quite delighted. The experts might recommend something else. My musings for what they're worth. Regards Danny ------------------------------ Date: Thu, 16 May 1996 02:47:07 +0000 (GMT) From: Aryeh Goretsky Subject: Thoughts on providing support (was: Re: If you really are AV.) X-Digest: Volume 9 : Issue 72 Hello Nick (and fellow comp.virus readers), In article <0015.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz> Nick FitzGerald writes: >Alchemist wrote: [...snip...] >> assume that all the AVers here are in it "just for the money" and don't >> really care about saving the planet from infection. If anyone is > >Yep--DataFellows, Dr. Solomon's, McAfee's, Symantec, etc are raking in the >bucks from all those thousands of hits per day on their WWW virus >description pages.... None of WWW the sites mentioned above charge for access to their virus description pages. As a matter of fact, updating and adding the descriptions costs them time and money. >This attitude is actually doubly insulting, because most people do not >read up about avoiding virus infection before they get one, and far too >many only care about finding out how to get rid of the one they have at >the moment once they do get infected. Thus, to imply that supplying a >good, freely available listing of all this information will reduce the >spread of viruses, flies in the face of nine and a half years of >experience. > >You may counter that I'm being cynical/patronizing/whatever, but you have >to look at the economies of providing any "service", be it a "free" one or >otherwise.... With ever-increasing numbers of people turning to computers (e.g., the Internet) and the number of viruses increasing it becomes more and more difficult to provide customer service and technical support. Providing "self-guiding" help in the form of WWW pages, FAQ's, and so forth is one way that anti-virus companies can reduce support costs and increase their ability to provide support. While there are times I would rather speak to a living, breathing tech support person there are also times I'd rather just go to a WWW site and read the information on it. That can be a lot less time-consuming then having to go through operators, hold queues, digging up site license grant numbers, and repeating myself to the wrong person. With tiered-support levels being sold separately instead of bundled into the cost of a product, calls charged by the minute or per incident, and having to lose several hours of productivity waiting to talk to a support representative and hear back from them I would prefer to have the option of checking a WWW site first before I have to visit the purgatory of an interactive voice response system. Just my $0.02. Regards, Aryeh Goretsky - - ______________________________________________________________________________ Mr Aryeh Goretsky EMAIL goretsky@netcom.com 627 W Midland Ave CompuServe 76702,1714 Woodland Park, CO TEL +1 (719) 687-0480 USA 80863-1100 FAX +1 (719) 687-0716 ------------------------------ Date: Wed, 15 May 1996 19:04:03 +0000 (GMT) From: Iolo Davidson Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 72 In article <0002.01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > The latest release of InVircible has a generic solution to the > Word macro malware problem. Generic as generic can be ! :-) Glad to hear that you have updated your product. > Thanks to its generic nature, InVircible is now the only product > on the market that not only detects ALL current Word macro > malware but will also handle future macro viruses, Trojans and > droppers. Sorry to hear that you still don't seem to understand that your product will need updating again in the future, for reasons no one is able to foresee. I would have thought the Macro virus experience should convince anyone. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Thu, 16 May 1996 02:56:10 +0000 (GMT) From: Aryeh Goretsky Subject: Re: NLM - Anti-Virus (NW) X-Digest: Volume 9 : Issue 72 My information may no longer be current, but my understanding is that super-servers such as those manufactured by Tricord and Netframe have enhanced versions of NetWare installed in order to take advantage of multiple CPU's, proprietary buses and controllers, and so forth. The best people to contact would be the super-server vendors themselves; they should know which anti-virus products can be safely run without abending the server. Regards, Aryeh Goretsky P.S. I tried to email you from several systems but they choked on the intelsat.int domain name. - - ______________________________________________________________________________ Mr Aryeh Goretsky EMAIL goretsky@netcom.com 627 W Midland Ave CompuServe 76702,1714 Woodland Park, CO TEL +1 (719) 687-0480 USA 80863-1100 FAX +1 (719) 687-0716 ------------------------------ Date: Wed, 15 May 1996 18:15 +0000 From: Graham Cluley Subject: Re: Writing to Win95 MBR? (WIN95) X-Digest: Volume 9 : Issue 72 In-Reply-To: <01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz> Dennis G German writes: > How does one go about re-writing the master boot record > when running WIN95. > > Friend of my ( no, really) has detected NYB. > Can MBR be re written? I would recommend using an anti-virus product rather than trying to rewrite the MBR via another method. You might like to download the evaluation version of Dr Solomon's FindVirus from our website. Cold-boot from a clean (virus-free) DOS disk and enter FINDVIRU C: /REPAIR Other good anti-virus products should be able to do this as well. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 15 May 1996 09:19:55 -0400 From: David Lazarus Subject: NAV95 Rescue Disk problems (WIN95) X-Digest: Volume 9 : Issue 72 I upgraded my NAV95 virus listing with the May 1996 list. Since I did this my system fails with a message "The virus was found in memory". I was running NAV 95 without the latest updates. Somehow a memory area virus found its way onto my system and only the May 1996 updates detected it. But the rescue disk is helpless. I updated in from a clean system and booted on the infected system with it,but after putting the second diskette in and running NAVBOOT it halts the system with the same message. Can anyone help? I am currently going to try mcafee. ------------------------------ Date: Wed, 15 May 1996 20:40:44 -0500 (CDT) From: cruisin@StarText.NET Subject: TPE (2) Virus (WIN95) X-Digest: Volume 9 : Issue 72 Got a quick question for the group. My OS is Win95. I have two hard drives. The first one is set up as C: & D: and the last drive is E: with F: being my CD-Rom. My main virus program is NAV using the May definitions. I'm also running Norton Navigator and Utilities for Win95. On boot-up with Norton starts to do an image of the drives, the Auto-Protect is detecting the TPE (2) virus in the following files: Image.IDX Image.DAT The system stops until I delete the files. The Image program works fine on the other two drives C: & D:. Up till last week, the Norton Image worked fine on all three drives, then this problem started happening. I them run a complete scan on the system and it can't find a thing. I re-boot and the warning comes up again. I've created a Rescue disk and done a clean boot but the only drive recognised is C:, so I can't get to the other drives when rebooting. I've also tried rebooting with the Win95 system disk and I've got the same problem, only C: is showing. Any ideas. All help will be appreciated. Sincerely, Chuck ------------------------------ Date: Wed, 15 May 1996 16:45:54 +0000 (GMT) From: "A.Appleyard" Subject: I want info re Star One virus (PC) X-Digest: Volume 9 : Issue 72 Yesterday VET said it found Star One virus in a file C:\WORK\1ST_STAR.COM in one of our public use PC's (in UMIST in Manchester in England) and did not remove it. (The file has now been deleted.) What does Star One do? What are its other names? ------------------------------ Date: Wed, 15 May 1996 16:14:19 +0000 (GMT) From: 'Mike' M Ramey Subject: Re: F-prot's Virstop (PC) X-Digest: Volume 9 : Issue 72 Load VIRSTOP from config.sys or autoexec.bat *before* you start windows. - - -Mike Ramey 685-0940 FAX:685-3836 Wilcox-171 Box:35-2700 UofW 98195 ------------------------------ Date: Wed, 15 May 1996 16:49:05 +0000 (GMT) From: "A.Appleyard" Subject: running antivirals on infected PC's (PC) X-Digest: Volume 9 : Issue 72 How good are the latest versions of the various common antivirals (when called from a server or a write-protected floppy on an infected PC that has been booted from its hard disk) at (a) finding, (b) removing, the various viruses? ------------------------------ Date: Wed, 15 May 1996 18:15 +0000 From: Graham Cluley Subject: Re: Help needed with Burglar virus!!! (PC) X-Digest: Volume 9 : Issue 72 In-Reply-To: <01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz> Joeri Roels writes: > We think it is the 'burglar' virus. > In the infected files we find always the two sentences : > > "Burglar" > > and : > > "Eat grandmother's grave" > > Do you have any idea how to KILL it (fast!) ?? Dr Solomon's Anti-Virus Toolkit can detect and clean-up this virus (I think we call it Grangrave.1150). You can download an evaluation version of Dr Solomon's FindVirus which will do the clean-up from our website (see below). Other good anti-virus products should be able to help you as well I should think. It is important to remember to cold-boot from a clean (virus-free) write-protected DOS disk before attempting the clean-up so the virus is not in memory. Here's some information about this virus from Dr Solomon's: Grandma's Grave Aliases: GranGrave.1150, Burglar Description: Grandma's Grave is a stealth file virus. Every time the virus infects a file it checks whether the minute field of the current time is set to 14. If it is it displays a flashing message in the top left corner of the screen: "Burglar/H" The virus contains an unencrypted text string which never gets displayed:"AT THE GRAVE OF GRANDMA" Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 15 May 1996 18:15 +0000 From: Graham Cluley Subject: Re: EXEBUG VIRUS (PC) X-Digest: Volume 9 : Issue 72 In-Reply-To: <01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz> Zvi Netiv of InVircible writes: > If you can see drive C: when booting from a clean DOS floppy, then run > FDISK/MBR. In spite of the controversy about this undocumented command, > this is your best shot, provided you can see C! You're almost right Zvi. There are instances where using FDISK /MBR even when you can see the C: drive are still not recommended: for example the One-Half virus which encrypts cylinders on your hard disk. I would recommend a virus-specific solution rather than using FDISK, as a good virus-specific anti-virus program will deal with circumstances like this. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 15 May 1996 18:15 +0000 From: Graham Cluley Subject: Re: Tremor help (PC) X-Digest: Volume 9 : Issue 72 In-Reply-To: <01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz> Roy Mahfouz writes: > does anybody knows how to kill TREMOR??? Dr Solomon's Anti-Virus Toolkit can detect, intercept and clean-up Tremor. If you download the evaluation version of Dr Solomon's FindVirus from our website that will do it for you. It is important for anti-virus products to detect Tremor in memory as it is a full stealthing virus. Of course, Dr Solomon's can detect Tremor in memory but we recommend that you cold-boot from a clean (virus-free) write-protected disk before attempting the clean-up. Here's some information about Tremor from Dr Solomon's: Tremor Type: Memory-resident file virus Affects: Fast infector: COM and EXE files on execution and almost on any access. COM files are infected only if they start with 0E9h byte (JMP instruction). File Growth: 4000 bytes Description: The virus is variably encrypted and highly polymorphic. When an infected program is executed the virus stays memory-resident, possibly in UMB or Extended Memory (if available) and infects COMMAND.COM. The virus demonstrates full stealth technique: if it is memory-resident, no changes to infected files are visible. In approximately three months after intruding to a computer the virus triggers. On every warm reboot via Ctrl-Alt-Del the virus displays the following message: -= T.R.E.M.O.R. was done by NEUROBASHER /May-June'92 Germany =- MOMENT OF TERROR IS THE BEGINNING OF LIFE Additionally, if more than 255 files were created or opened (e.g. via COPY command) since last system reboot, the virus starts to salute every DOS call with a random sound and screen display tremor. > please send me a mail if yes! I'll email you as well. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 15 May 1996 18:27 +0000 From: Graham Cluley Subject: Re: F-prot's Virstop (PC) X-Digest: Volume 9 : Issue 72 In-Reply-To: <01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz> unknown writes: > For some reason when I run F-prot's Virstop in a dos shell in Windows it > crashes my system with the error message 'EMM368 has detected a fault > at (some memory address)'. I realize that virstop is intended for DOS, > but I need a program that will function under Windows 3.x. Can anyone > suggest either another program for Windows 3.x or a way to configure my > system so that virstp will work? Thanks for any help in advance. I guess the support people at F-Prot will be able to help you with your problem, sorry I can't help on that one. But seeing as you asked there are a number of other anti-virus products available with varying levels of detection capability. One thing you might consider is running a 32-bit VxD under Windows. This has all the on-access advantages of a TSR (for example, stops you from running viruses *and* spreading viruses to customers and colleagues) plus they're quicker, require zero DOS memory and can stop even the most complex polymorphic and macro viruses which TSRs wave a white flag to. Surprise surprise, Dr Solomon's have a VxD called WinGuard. You can read all about it on our website. :-) Other good anti-virus products have similar capabilities (I think F-prot have a VxD for Windows), and you can read how good they are in the independent comparative reviews found at http://www.drsolomon.com/avtk/reviews and elsewhere. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 15 May 1996 18:40 +0000 From: Graham Cluley Subject: Re: Please help!! Infected with BRAIN!!! (PC) X-Digest: Volume 9 : Issue 72 In-Reply-To: <01I4OEGXRLXYSKYBYJ@csc.canterbury.ac.nz> TEO WEI LING writes: > Please help!!! My computer is infected with BRAIN!! Wow, you've chosen a real golden-oldie virus there. Why do you think you have Brain? Which anti-virus product (and which version) were you running? What was the precise message? The reason why I'm asking is that all the versions of Brain we have ever seen only infect floppy disks - they don't infect hard disks at all. I'm just wondering whether you might have a false alarm. You might care to download the evaluation version of Dr Solomon's FindVirus from our website and tell us if that also detects the virus. It can of course clean-up Brain as well. Remember to cold-boot from a clean (virus-free), write-protected DOS disk before attempting the clean-up. > Please tell me how I should go about getting rid of it and > what the effects of the virus are!!! Here's the description from Dr Solomon's: Brain Aliases: Pakistani; Pakistani Brain; Lahore; Ashar; UIUC Type : Memory-resident boot sector virus. Affects: 360Kb 5.25-inch floppy disks (even if not bootable). Hard disks are not infected. File Growth : N/A Description: The volume label of the infected floppy is changed to (c) Brain and infected disks have 3Kb of bad sectors. The following text can be found in the boot sector: "Welcome to the Dungeon (c) 1986 Brain & Amjads (pvt) Ltd VIRUS_SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today - Thanks GOODNESS!! BEWARE OF THE er..VIRUS : this program is catching program follows after these messages....$#@%$@!!" There are a number of major and minor variations in the actual wording, but the substance of the message remains the same. There is also a completely different message giving three telephone numbers. Brain replaces the boot sector of a diskette with its own code and moves the original boot sector further up the disk. Whilst the virus is in memory the boot sector looks normal, as the virus redirects any attempt to look at it and displays the original boot sector instead. The virus has no ill effects other than slowing down the floppy disk drive and making 7kb of memory unavailable to DOS. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Wed, 15 May 1996 15:50 +0000 (GMT) From: CLAYTON E RUTH Subject: Re: F-prot's Virstop (PC) X-Digest: Volume 9 : Issue 72 Reems@ix.netcom.com writes: >For some reason when I run F-prot's Virstop in a dos shell in Windows it >crashes my system with the error message 'EMM368 has detected a fault You can't do that! Load VIRSTOP in DOS (AUTOEXEC.BAT) before you start Windows. It will still alert you to infections on the disks you access in your DOS boxes under Windows. If you want a full-blown Windows virus interceptor, get the F-PROT Professional version. Other products also offer full Windows-based virus interception. Clay Ruth PC Configuration Manager / Senior Lead Systems Software Analyst Sargent & Lundy, L.L.C., Chicago, IL Clayton.E.Ruth@SLChicago.Infonet.com ------------------------------ Date: Wed, 15 May 1996 22:19:39 +0000 (GMT) From: Bruce Burrell Subject: Re: false alarms? (PC) X-Digest: Volume 9 : Issue 72 Bill lambdin (vfreak@skn.net) wrote: > Bruce Burrell writes > > JMCarlini (jmcarlini@aol.com) wrote: > > >Sure: > > 1. Run the possibly-infected code, assuming it's executable, to see > > whether it reproduces. Note that this while this will make it > > obvious for some viruses, others reproduce under arcane > > circumstances you might not happen to mimic. > > Are you kiding!? No. But come on, Bill: you've snipped a whole bunch of stuff both that states the situation of JMCarlini, and qualifies my response: - -------------------------------------------------------------------- > Because of TBAV's heuristic approach, if I set it to a High heuristic > setting, I will invariably get virus alerts that I did not get at a lower > (auto) setting. I have also received what I believe to be false positives > with McAfee Scan (After following the usual protocols, I could not find > the virus, and have not had another incident.) > > Is there any accurate way to tell a false positive from a REAL virus? Sure: 1. Run the possibly-infected code, assuming it's executable, to see whether it reproduces. Note that this while this will make it obvious for some viruses, others reproduce under arcane circumstances you might not happen to mimic. 2. Disassemble the code to see whether it's a virus. 3. Use only AV products that don't generate false positives. Option (1) has its obvious inherent dangers; option (2) isn't available for most folks. That leaves option (3) which, as Dr. Solomon's PERFECT.BAT so aptly shows, doesn't guarantee that such a product has any real value (Just make a batch file that says "echo %1 isn't infected"; Voila! no false positives. Doesn't detect *any* real infections, though.) [snip] - -------------------------------------------------------------------- > The user should never run a virus (even if it is a flase alarm) I think it's clear that I recommend option (3) above for general uses. Note that I never said anything about who is qualified to do any of the steps above, though I suspect I should have. I think the caveats suffice. > They should send the file to an A-V developer or a virus researcher for > analysis. This is a waste of time for the researchers. Unless you're suggesting that sending the samples to vendors will force them to improve the product to reduce false alarms, of course. One product regularly identifies stuff as infected when on high heuristics, but not otherwise. A second product had an alarm once that wasn't repeated. If the virus appears to be spreading, that's another matter. If it merely is detected in a constant set of files, it's probably safe to ignore. > If the user wants ri run a virus, they should run the program on a > separate computer without taking the risk of infecting other files, boot > sector, or MBR on their computer. I agree with this. But I wasn't trying to suggest that the general user should run suspect code, only that this is one way to determine whether or not it is a virus. [BTW: is it possible for you to post your articles so that they are associated with their original threads? On my newsserver, at least, your articles always start new threads. If you can fix this, Bill, it would make it easier to follow your arguments by referencing previous posts. Thanks!] -BPB [Moderator's note: I reiterate that call, Bruce, but Bill is not the only poster who regularly changes Subject: lines. I usually change the ones I spot back to the original Subject:, but sometimes I need the sleep more!] ------------------------------ Date: Wed, 15 May 1996 19:13:33 +0000 (GMT) From: Iolo Davidson Subject: Re: EXEBUG (PC) X-Digest: Volume 9 : Issue 72 In article <0026.01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz> vfreak@skn.net "Bill lambdin" writes: > Iolo Davidson writes > > >Exebug does a trick that forces the computer to boot from the > >hard disk even when there is a boot floppy in the floppy drive. > >It doesn't work on every computer, but it looks like it has > > Iolo: > > Doesn't EXEBUG accomplish this by modifying the CMOS the A: drive > is not installed? I felt that it wasn't necessary to go publicly into the detail of the mechanism for the purposes of the discussion at hand. Ahem. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Wed, 15 May 1996 18:23:02 -0700 From: "James R. Bunch" Subject: Re: Major Floppy/Boot Problem - Out of ideas! (PC) X-Digest: Volume 9 : Issue 72 Randy wrote: : My floppy drive has recently stopped working properly, and I suspect a : virus. I have tried everything I have read plus a few other things I : thought of along the way. I am at my wit's end! Help! [big snip] : Any new ideas would be greatly appreciated! Hardware problem. Might be the drive, might be the adapter card. I'd swap out the card and cables 1st, 'caus in general the card is cheaper than the drive. I've seen busted drives that could read track 0 and see the directory but couldn't get to any thing else. I've also seen floppy adapters that could only see track 0 on a known good floppy drive. Think about it -- you disabled the hard drive and still couldn't boot from a clean, write protected boot disk (it was known clean & write protected, wasn't it?) With the hard drive out of action, and only your clean boot floppy in your drive, there was no place for a virus to be hiding. But your boot attempt failed. Because your drive can't read the boot floppy in it. Why can't it read the disk? Either drive, adapter, or cable are bad -- with the *very* remote possibility that your CMOS settings are bogus, and you reset your CMOS. Doesn't leave much else. Good luck! - - - ---------------------------- James R. Bunch "A Byte is a terrible thing to waste ... jbunch@primenet.com ... a MByte 1048576 times worse" PGP Key available via finger PGP Key fingerprint = B5 31 10 77 BF B0 FD B2 10 54 CB E6 13 7C 26 58 - ----------------------------- ------------------------------ Date: Thu, 16 May 1996 03:18:15 +0000 (GMT) From: Aryeh Goretsky Subject: Poorly-worded message in BIOS (was: Re: Virus in BIOS) (PC) X-Digest: Volume 9 : Issue 72 Interestingly enough, my motherboard's BIOS has the same message in it! And not only that, the virus somehow managed to reprint the manual for the motherboard and insert a section saying this was to enable/disable writes to the master boot record of the hard disk to prevent infection. Okay, I was just joking. There is no virus in my motherboard's BIOS or the manual for it (printed on paper, of course). What I do happen to have is a BIOS with some anti-virus capabilities in it. Unfortunately, due to poor wording and/or space limitations in the BIOS itself the description was not clear. Now the reason that selecting 'DISABLE VIRUS' made the virus disappear becomes a little clearer: After the computer was infected by the virus the anti-virus mechanism in the BIOS was enabled. This prevented the anti-virus software from removing the virus since each time it tried to remove the virus the BIOS-level anti-virus prevented the software-based anti-virus from changing the master boot record. Disabling the anti-virus mechanism in the BIOS allowed your anti-virus software to sucessfully remove the virus from the master boot record. There's still the matter of how the anti-virus mechanism was switched on after the infection but that could have happened on accident during attempts to remove the virus. Regards, Aryeh Goretsky - - ______________________________________________________________________________ Mr Aryeh Goretsky EMAIL goretsky@netcom.com 627 W Midland Ave CompuServe 76702,1714 Woodland Park, CO TEL +1 (719) 687-0480 USA 80863-1100 FAX +1 (719) 687-0716 ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 72] *****************************************