VIRUS-L Digest Tuesday, 21 May 1996 Volume 9 : Issue 75 Today's Topics: Possible multiple copies of Digest Vol 9 #74 (ADMIN) Re: Word Macro Virus cleaner wanted Re: Identifying False Positives Re: How to select an anti-virus product? Re: Macro Viruses Re: Final decision Re: Rebooting, OSs... Re: vsumx605.zip Virus Information Hypertext Summary List, P.Hoffman Re: Word Macro Virus cleaner wanted Re: Macro Viruses (Concept etc.) Tentacle Virus and OS/2 (OS/2) Do macro viruses infect Finnish Word? (MAC,WIN) Can viruses infect from Recycle Bin (WIN95) Re: Writing to Win95 MBR? (WIN95) Re: NAV95 Rescue Disk problems (WIN95) Re: TPE (2) Virus (WIN95) Re: False Alarms in TBAV for Windows 95 (WIN95) Re: NAV95 Rescue Disk problems (WIN95) Re: NAV95 Rescue Disk problems (WIN95) QUANDARY virus (PC) Re: Exebug , Filler and Slydell Virus on Comapq (PC) Re: Scanning Iomega Zip Drive (PC) Re: running antivirals on infected PC's (PC) Re: Tremor help (PC) Different scanners report diff viruses (PC) Cruncher (PC) Stealth_Boot_C - what does it do? (PC) Re: NAV version 3.09 - spurious virus alerts (PC) Is my pc 100% better now? (PC) Tremor (PC) Tremor (PC) Brain (PC) False alarms (PC) Need information about quandary-virus. (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 21 Tue 1996 00:10:07 +1200 (NZT) From: Nick FitzGerald Subject: Possible multiple copies of Digest Vol 9 #74 (ADMIN) X-Digest: Volume 9 : Issue 75 The listserver packed a fit during the processing of Digest Vol 9 #73 and sent copies out to the diabetic@lehigh.edu list as well. It then replaced the Virus-L subscribers list with the diabetic's list, which received Digest Vol 9 #74. At this point I became aware of the problem. The Virus-L list has been restored (thanks to Jim and co. at Lehigh!) and I've resent the #74 digest. Some of you may have received two copies of that digest, but I'm informed it is unlikely that any usual Virus-L subscribers actually received copies from the first mail-out. We apologize for any inconvenience and now return you to your usual program. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83 ------------------------------ Date: Sat, 18 May 1996 10:12:39 +0000 (GMT) From: Zvi Netiv Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 75 Stefan Kurtzhals wrote: > > The latest release of InVircible has a generic solution to the Word macro > > malware problem. Generic as generic can be ! :-) > Yes, -TOO- generic. IVX had 100% false positives here on my system with > all antivirus-macros like SCANPROT, lots of regular tool macros and others. I just tested IVX on three versions of SCANPROT that I have, no false alarm. > I guess you simply search for 8,"AutoOpen",0 and don't analyse the > macro code at all. IVX missed 25% of the macro viruses I have here and it > missed 75% of all trojans. You just have to use other macros than AutoOpen > and FileSaveAs to fool IVX. A -very- weak protection! Thanks for the suggestions but you got it all wrong. > IVX also fails to detect macros in DOC files larger than 500 KB. It missed > 50 Concept samples in such large files. You have to redesign IVX I think. I checked IVX against Concept on huge docs (Eudora's - about 1.5 meg - and my own product's manual). IV both found Concept and cleaned it like a charm. I think you have to redesign your "tests" and make them look sensible. 50 files of 500 K make 25 meg and take a lot of time to prepare. All that trouble for discrediting a competing product to yours? Naah! > I wasn't able to test the IVX cleaning but I guess that you simply > overwrite the "AutoOpen" macro name with spaces, or? Nope, but nice try. :-) > bye, Stefan Kurtzhals Are you by any chance the same Stefan Kurtzhals that authored the MEGATEST boobytraps? (Crypt newsletter #35, interesting reading!). I am not familiar with German law, so can you please enlighten us what it says about writing destructive code and giving it to others, without warning them of its destructive nature? For our readers sake: The MEGATEST traps (Stefan Kurtzhals wrote two of them, the second being an "improvement" of the first) are logic bombs that render hard disk #1 inaccessible, not even for reconfiguring with FDISK. Most users and techies will need to LOW LEVEL FORMAT the drive via the BIOS setup utilities in order to regain access to the drive. IDE drives may be permanently damaged in the process as they should not be low level formatted, only at factory. In case your hard drive was hit by a one of these bombs, use either of the following procedures: Boot with IBM DOS (the bomb is based on a problem existing in MS-DOS 5 to 7, as well as in Win 95) and fix it with IV's ResQdisk. Or, go INVIRCIBLE on Compuserve and download the ARF program from the Hard Disk Recovery library in the forum. Both procedures will restore access to the drive with all your data intact. The seriousness of the above is that it seeds ideas to virus writers for an extremely problematic payload for their viruses. Crypt newsletter #35 quotes Kurtzhals for bragging on his affiliation with VLAD, a virus writer group. > *** F/WIN - HEURISTIC VIRUS DETECTION AND REMOVAL *** Be at rest Mr. Kurtzhals, I have no intent to check for the flaws in your product. Not worth my time. - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Fri, 17 May 1996 23:05:02 +0000 (GMT) From: Zvi Netiv Subject: Re: Identifying False Positives X-Digest: Volume 9 : Issue 75 "A. Padgett Peterson P.E. Information Security" wrote: >> Is there any accurate way to tell a false positive from a REAL virus? > > Frisk responded: > >> Disassemble and analyse it. >> >> If you settle for less than 100% accuracy, there are several rules of >> thumb you can employ, like: > > I found a long time ago that some other tests work well. For instance if > you just received a new scanner and a program you have been using for > years is suddenly reported infected, I would suspect the new program. Active screening is an effective way to tell a fasle positive from a genuine infection. No need to disassemble, using thumb rules or guessing. It's described in IV's on-line documentation. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Fri, 17 May 1996 23:05:21 +0000 (GMT) From: Zvi Netiv Subject: Re: How to select an anti-virus product? X-Digest: Volume 9 : Issue 75 Donald Heering wrote: > I had no idea about the plethora of anti-virus utilities available on > the market... Which one should I use? What I'd like is a product that > can monitor file access in the background (running Win '95 ), like TBAV > and McAfee do. And of course it should be able to detect (and clean, if > possible) as many viruses as possible. Does one product suffice, or is > it better to use more than one? Here is one more to confuse you completely. :-) A multilayered virus protection is more effective than duplicate and triplicates scanners. They are just more of the same. Scanning new software (from shelf, archived or download) is good practice, yet you need to do it only once. There is no point in repeating scanning over and over again since viruses didn't join the paratroopers yet, and they don't just drop in. Since the differences in performance between the top notch scanners are marginal, then just one scanner will suffice for that purpose. Antivirus TSR, VxD and activity monitors (or blockers) tend to conflict with other applications, sometimes in the worst moment and conditions. Moreover, TSR and VxD detect the same viruses, most times less, than the scanner of the same maker can find. It's more logical then to use just the scanner and obtain the same results, without the penalty of the TSR/VxD/ blocker. The latters also cripple your machine's performance and resources. The complementary layer consists of generic virus capture and integrity monitoring and recovery, when necessary. Generic AV does NOT equate with "change detection", as suggested in one of the replies to your post. The combination of generic on-line protection and off-line software screening yields the most effective protection, for the lowest investment and no adverse effects on your computer's peformance and resources. Lastly, beware of "independent comparative test reports". No such thing! They are all conducted by parties with veiled or unveiled interest. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Sat, 18 May 1996 01:33:32 +0000 (GMT) From: George Wenzel Subject: Re: Macro Viruses X-Digest: Volume 9 : Issue 75 >Zvi Netiv writes > >The latest release of InVircible has a generic solution to the Word macro >malware problem. Generic as generic can be ! :-) By generic, do you mean that InVircible generically removes the virus, or that it generically tells the user how to remove it? BTW, I've come up with a 100% foolproof method of generically eliminating the macro virus problem: Uninstall Word, the Word Viewer, and any and all other programs that read the MS Word macro language. Problem solved! :-) Regards, George Wenzel - - |\ _,,,--,,_ ,) George Wenzel /,`.-'`' -, ;-;;' Student of Wado Kai Karate |,4- ) )-,_ ) /\ University of Alberta Karate Club <---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Sat, 18 May 1996 19:30:01 -0700 From: Harald Horgen <"Harald Horgen"@smtp.wanadoo.fr> Subject: Re: Final decision X-Digest: Volume 9 : Issue 75 keith@command-bbs.com wrote: > >F-Prot, Dr. Sol, McAfee > > > >Which is the Best or two best AV's around for scanning. > > "" "" "" for use as a > >TSR > > "" "" "" for cleaning > > > >....I assist in running a DOOM BBS and need to know which one(s) to > >implement. What should we choose......We have been running this BBS for > >some time but are now going to get really serious on an Antivirus program. > > We are getting more and more files (all types) and would like to assure > >our players that they WILL NOT BECOME INFECTED through us. Luckily not > >one has gotten a virus from our file libraries yet! Any suggestions? > >Should we shut downt the BBS and this way we can be 100% safe :) ? Well > >thanks in advanced for any input you may have for me. I'm planning to pay > >as much as possible but, not something that is unreasonable ($ 250 tops). > >Am I being reasonable? The product you should take a close look at is Vi-Spy from RG Software in Scottsdale Arizona. There are two primary reasons: 1. It is the only program we know of that uses the same scanner in the TSR as in the general scanner. Virtually every other product runs into severe memory limitations, and as a result they have had to drop virus signatures from the TSR. So while many products have a very good front-end detection rate, they do much worse when you are relying on the TSR to do its job, and unless you scan every file that enters the machine, you are left vulnerable. 2. The Vi-Spy TSR is only 12K, which is a fraction of the size of the others. Vi-Spy is written in Assembler, which makes the code much more efficient then other products. By way of example, it is our understanding that F-Prot's TSR takes up 40k of conventional RAM, Norton 30K+, and McAfee 64K. They all claim smaller memory requirements, but at the cost of less protection. RG Software can be reach at Tel: 602/423-8000, and fax: 602/423-8389. Hope this helps, Harald Horgen The York Group Paris, France ------------------------------ Date: Sun, 19 May 1996 11:23:08 +0000 (GMT) From: Iolo Davidson Subject: Re: Rebooting, OSs... X-Digest: Volume 9 : Issue 75 In article <0005.01I4W65N0B36SKYVA0@csc.canterbury.ac.nz> bluefox@easynet.on.ca "Jad" writes: > First off, do you really have to turn off the computer instead of > rebooting when you think/know you have a virus and want to boot from a > floppy? I mean, doesn't a warm boot clear the entire memory banks? No, it doesn't, and there are at least two viruses that are known to survive the Ctrl-Alt-Del warm reboot. > And a cold boot should do it for sure. What does "cold boot" mean and does your "Reset" button actually give you a cold boot? Turning off and on does the job for certain. Why dick around? > I once downloaded a program, and for some reason ran a BBS and > program before scanning all the files. I then ran TBAV and it > said it was possibly infected. I did a warm reboot, cleaned the > Tai-pan virus from TBSCAN and the BBS ad with no problem(using my > second scanner, F-PROT). Any comments? Sure, you will get away with this with many viruses. Others will play you up. Care to guess which is which, and bet your data on the correctness of your guess? An anti-virus expert might know which viruses are safe to remove without a cold boot and which aren't, but the normal user doesn't need to know that, he just needs to take the standard precaution of cold booting. It isn't a difficult or time consuming job, after all. > Also, how are operating systems like Unix, OS/2(using the HPFS > file system) with viruses? Are they more "immune" to viruses than > the DOS and Win/Win95 operating systems? There are very few viruses in Unix, more that work in OS/2. No operating system that can actually be used is "immune", but DOS has more viruses than any other operating system. However, many viruses don't care what the operating system is. They subvert the PC BIOS before the operating system is even loaded. Some of these will stop infecting after the operating system is loaded, or be effected in some other way, or interfere with the operating sytem loading, but they will infect the computer whichever operating system is installed. They can also deliver their payload (ie trash the disk). > A friend once got the Ripper virus on his machine, which was not > detected by CPAV, MSAV(yuck), or NAV until I thought of giving > him some real scanners. We run them just for fun, and TBAV found > the Ripper virus in the boot sector. Cleaned it and the hundreds > of floppy disks, then ran NDD on the hard drive to check for > errors(F-PROT said it corrupts approx. 1 in every 1000 disk > writes), but found none whatsoever. Anybody know why? Sure. The damage it does is not detectable by "disk doctor" type software. It just changes bits of data. If you open all your word processor files and change all the "a"s to "b"s, NDD will not discover these errors either. Ripper's damage is more difficult to find than that. > Last thing. Would it be possible to write software to make the > partition (MBR) table and boot sector "read only"? If so, would > it be easy for viruses to defeat the software protection? Some PCs have a BIOS option that can be set in the CMOS setup to do this. Some viruses can defeat it. There are add on hardware cards that can do this, too. There is also software that offers this, but it is not yet loaded at boot time when the facility is most useful to protect against infection by boot sector viruses. Such techniques are useful, but not the whole answer. - - LIFE IS SWEET AND THEN BUT OH HOW BITTER! NOT GIT 'ER TO LOVE A GAL Burma-Shave ------------------------------ Date: Sun, 19 May 1996 12:43:35 +0000 From: Fridrik Skulason Subject: Re: vsumx605.zip Virus Information Hypertext Summary List, P.Hoffman X-Digest: Volume 9 : Issue 75 > Patricia Hoffman's "hypertext" led summary of most known > viruses "most" ... well, I wouldn't say that....there are over 8000 PC viruses, and VSUM does not describe "most" of them. > with detection method, usually incomplete. > removal method, usually wildly incorrect > what they do usually wrong or incomplete > brief history of them usually inaccurate > and much more. of the same quality as the rest (or even worse...her "family trees" are utter garbage) > Also includes her evaluation of the various virus detection and > removal programs around. usuallyy inaccurate, incomplete and biased.... -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Sun, 19 May 1996 21:35:39 -0500 From: "R. Zalk" Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 75 You can find it at http://mcafee.com or search for 'Vdoc', a free Concept only AV. Good Luck, R. Zalk ------------------------------ Date: Sun, 19 May 1996 21:38:46 +0000 (GMT) From: Jim Champ Subject: Re: Macro Viruses (Concept etc.) X-Digest: Volume 9 : Issue 75 CLAYTON E RUTH wrote: [big snip] >My primary problem with Word Macro viruses is getting them out of >cc:Mail file attachments. I look forward to the day (hopefully soon?) >when one of the many AV developers out there comes up with something >that will intercept them and clean them up as they pass from cc:Mail to >Word when the user double-clicks the attachment. It would be even better >to back-feed the cleaned-up document into cc:Mail so that the infected Bearing in mind the way cc:mail stores messages I shouldn't hold your breath waiting for this one [the back-feed]... probably better to work on stopping them getting into the cc:mail system in the first place. Its also theoretically possible to create a system that does virus checks on attachments as messages flow between post offices through routers. However the only way I've seen it done is hideously slow, and only really practical on incoming external mail. Best bet within an organisation *at the moment* looks to me (as an amateur in this virus stuff) to have scanning on all PCs as well as the usual foot bath for incoming floppies. A Windows based scanner stops Word opening a macro virus infected document from disk, I would have thought it would do the same job opening from cc:mail - after all it just seems to create a temp file and open that. Jim C ------------------------------ Date: Sun, 19 May 1996 01:14:55 +0000 (UTC) From: Bill Subject: Tentacle Virus and OS/2 (OS/2) X-Digest: Volume 9 : Issue 75 We are just finishing up clean-up from a Tentacle virus episode. One questions that this has raised is, what are the implications of this virus on a PC runing OS/2 or to an OS/2 LAN environment. In particular can this virus running in a window session on an OS/2 infect programs even within the OS/2 file structure? Would this result in an infected program that could infect others or would it just corrupt the program making it unusable. On the same topic, are there any OS/2 specific viruses in the wild. Appreciate any thing that people in this group can offer on this. Thanks....Bill - --------------------------------------------------------------- Bill Mulvale, CISSP, SCO ACE bmulvale@idirect.com Corporate Security Services (905) 828-1964 - --------------------------------------------------------------- ------------------------------ Date: Sun, 19 May 1996 15:19:55 +0300 (EET DST) From: Marjut Kaistinen Subject: Do macro viruses infect Finnish Word? (MAC,WIN) X-Digest: Volume 9 : Issue 75 I heard about Word's macro virus and now two my friends are arguing that can it infect other language Word macros(example FI) than Word UK/US? So, can somebody help me and my friends? ------------------------------ Date: Sat, 18 May 1996 04:53:54 +0000 (GMT) From: Nick FitzGerald Subject: Can viruses infect from Recycle Bin (WIN95) X-Digest: Volume 9 : Issue 75 Someone called "Steve", with otherwise completely invalid addressing information, submitted the following question. Please do -NOT- reply to me, but reply to the list or followup to the newsgroup. =============== Can a virus infect while residing in the recycle bin/trash can? Hope someone got a good laugh off that, but I seriously don't know. :) Steve ------------------------------ Date: Fri, 17 May 1996 23:05:15 +0000 (GMT) From: Zvi Netiv Subject: Re: Writing to Win95 MBR? (WIN95) X-Digest: Volume 9 : Issue 75 Dennis G German wrote: > How does one go about re-writing the master boot record > when running WIN95. > > Friend of my ( no, really) has detected NYB. > Can MBR be re written? InVircible's ResQdisk, IVinit and IVscan will do it automatically on IDE drives, in a single step, from the infected drive itself. For all other drives (SCSI, MFM ESDI etc.) use ResQdisk manually with the following procedure: Boot from the infected drive, and run ResQdisk /B (backup). Reboot clean and run ResQdisk /R (restore), from the same drive on which you did the backup. Done! InVircible is available from any site in my sig. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Fri, 17 May 1996 23:04:54 +0000 (GMT) From: Zvi Netiv Subject: Re: NAV95 Rescue Disk problems (WIN95) X-Digest: Volume 9 : Issue 75 David Lazarus wrote: > I upgraded my NAV95 virus listing with the May 1996 > list. Since I did this my system fails with a > message "The virus was found in memory". I was > running NAV 95 without the latest updates. Somehow > a memory area virus found its way onto my system > and only the May 1996 updates detected it. > > But the rescue disk is helpless. I updated in from > a clean system and booted on the infected system > with it,but after putting the second diskette in > and running NAVBOOT it halts the system with the > same message. Bypass the config.sys and autoexec by hitting F8 and select the command prompt option. Run then another anti virus that won't freeze the system. If the cause is a boot infector then InVircible can help removing it from an IDE drive when booting with the virus in memory. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Fri, 17 May 1996 23:04:46 +0000 (GMT) From: Zvi Netiv Subject: Re: TPE (2) Virus (WIN95) X-Digest: Volume 9 : Issue 75 cruisin@StarText.NET wrote: > Got a quick question for the group. My OS is Win95. I have two hard > drives. The first one is set up as C: & D: and the last drive is E: > with F: being my CD-Rom. My main virus program is NAV using the May > definitions. I'm also running Norton Navigator and Utilities for > Win95. > > On boot-up with Norton starts to do an image of the drives, the > Auto-Protect is detecting the TPE (2) virus in the following files: > > Image.IDX > Image.DAT IMAGE DAT is a data file that mirrors your FAT. The IDX file is the index and indicates where the image file can be found. Obviously, NAV is false alarming. What surprises is that both IMAGE and NAV are from the same producer. I would expect that a producer's product should be compatible with the others, from the same make. > The system stops until I delete the files. The Image program works > fine on the other two drives C: & D:. Up till last week, the Norton > Image worked fine on all three drives, then this problem started > happening. I them run a complete scan on the system and it can't find > a thing. I re-boot and the warning comes up again. > > I've created a Rescue disk and done a clean boot but the only drive > recognised is C:, so I can't get to the other drives when rebooting. > I've also tried rebooting with the Win95 system disk and I've got the > same problem, only C: is showing. It's unclear from your post if you can access D: and E: when booting from the hard drive, or you don't see them only when booting from A:. If you totally lost access to the higher partition and the second disk, then your rescue disk procedure was faulty and probably messed with the CMOS setup and the first disk MBR. Go to the setup and see if the second drive is defined or indicated "not installed". Correct what needs to be corrected and reboot. To recover a lost partition you can use ResQdisk Professional, from the InVircible package. It will also help you find the setup parameters of the second drive in case you don't know what they were. Finally, InVircible makes a rescue diskette that will spare you such trouble in the future. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Fri, 17 May 1996 22:26:47 -0400 From: MadScrib Subject: Re: False Alarms in TBAV for Windows 95 (WIN95) X-Digest: Volume 9 : Issue 75 In article <0011.01I4R65S3E88SKYBYJ@csc.canterbury.ac.nz>, CLAYTON E RUTH writes: >Validating the mismatch fixed the problem, so long as I didn't run >TBSetup again. Therefore, my recommendation to anyone trying to use >TBAV for Windows 95 is as follows: I usually don't bother with such extreme measures to make something work. If I am unable to get a program to work properly the first time (or after a few tries, I will usually give them (the programs) a chance), I will simply NOT USE THAT PROGRAM. I have used TBAV in the past, and IMHO I'm just not that impressed with it. I'll stick to running F-Prot in a DOS session window, thank you. Cory C. Lunde Computer Support Specialist Kwik Trip, Inc. (Note: The opinions expressed above do not represent the opinions of my employer and are to be considered personal opinions only.) ------------------------------ Date: Sun, 19 May 1996 11:13:50 +0000 (GMT) From: Iolo Davidson Subject: Re: NAV95 Rescue Disk problems (WIN95) X-Digest: Volume 9 : Issue 75 In article <0008.01I4W65N0B36SKYVA0@csc.canterbury.ac.nz> taszm@vmsa.csd.mu.edu "Maciej Tasz" writes: > If memory scanning is > disabled, the virus is not found in boot sectors. This is normal with a stealth virus, and the reason for memory scanning in the first place. Disabling memory scanning is not a good idea unless you are very knowledgable about viruses. > Booting from diskette is useless. It's vital. If you can't manage it, then *that* is the problem you need to solve. It may not be necessary in order to clean all viruses, as not all viruses are stealthed, but you don't get to choose which virus you get infected by, and there is no way for users inexperienced with viruses to know which are stealthed and which are not. Ripper has a very dangerous payload and you need to get rid of it. - - LIFE IS SWEET AND THEN BUT OH HOW BITTER! NOT GIT 'ER TO LOVE A GAL Burma-Shave ------------------------------ Date: Sun, 19 May 1996 11:13:50 +0000 (GMT) From: Iolo Davidson Subject: Re: NAV95 Rescue Disk problems (WIN95) X-Digest: Volume 9 : Issue 75 In article <0008.01I4W65N0B36SKYVA0@csc.canterbury.ac.nz> taszm@vmsa.csd.mu.edu "Maciej Tasz" writes: > If memory scanning is > disabled, the virus is not found in boot sectors. This is normal with a stealth virus, and the reason for memory scanning in the first place. Disabling memory scanning is not a good idea unless you are very knowledgable about viruses. > Booting from diskette is useless. It's vital. If you can't manage it, then *that* is the problem you need to solve. It may not be necessary in order to clean all viruses, as not all viruses are stealthed, but you don't get to choose which virus you get infected by, and there is no way for users inexperienced with viruses to know which are stealthed and which are not. Ripper has a very dangerous payload and you need to get rid of it. - - LIFE IS SWEET AND THEN BUT OH HOW BITTER! NOT GIT 'ER TO LOVE A GAL Burma-Shave ------------------------------ Date: Sat, 18 May 1996 04:48:23 +0000 (GMT) From: Nick FitzGerald Subject: QUANDARY virus (PC) X-Digest: Volume 9 : Issue 75 Someone called "Steve", with otherwise completely invalid addressing information, submitted the following question. Please do -NOT- reply to me, but reply to the list or followup to the newsgroup. =============== I was hit with the Quandary virus about 3 weeks ago, and since then I have heard of three other infections (not possible that I cross contaminated). Seems to me that this is a fairly large infection rate, but I'm no expert. Anyone else come across this virus lately? How about any info on it? (besides that fact that it affects BS's) Incidentally, McAfee ViruScan95 picked it right up and killed it just as fast. Steve ------------------------------ Date: Sat, 18 May 1996 12:02:14 +0000 (GMT) From: Zvi Netiv Subject: Re: Exebug , Filler and Slydell Virus on Comapq (PC) X-Digest: Volume 9 : Issue 75 PAUL HENNION wrote: > I have a compaq presario 425 and have found to have had the above > viruses but can't boot up from a stiffy because the viruses have > messed it up. Can anyone Help? For our readers' sake, 'stiffy' is a 3.5" diskette, as 5.25" diskettes are called floppies. I recently posted about a similar problem with a Compaq Presario model. As you aren't the first one with the problem, and surely not the last one then here is a more detailed description of the problem and how to solve it. Machines running under DOS / Win95 have their hard disks usually configured with the DOS partition first. Consider Win 95 as DOS for that matter, as it is indeed MS-DOS 7, and the hard drive is configured the same way as for DOS. There are good reasons for configuring disks this way, the most important are vulnerability to boot-partition infectors and ease of recovery in case of such damage. As stated in my former post, Compaq uses a non-standard configuration for their models, that make things worse when your machine is hit by such virus. Compaq disks have a non-DOS partition, a few megs in size, coming first, and the main DOS partition, usually the rest of the drive, coming second. That wouldn't be a problem if Compaq didn't insist doing it their way. Good design requires that a critical partition should have an independent boot chain consisting of a partition sector and a boot sector. This is for recovery utilities to find the partition and restore it in case it was lost. Compaq's second mistake is that the main DOS partition does not have a partition sector of its own, but begins with a boot sector where a partition one is expected! When the partition data in your MBR is corrupted (or zeroed), then recovery utilities won't find the DOS partition and rebuild a large partition extending from cylinder 0 to the full capacity of your drive. Obviously this would render all the data in what was your former DOS partition inaccessible. If the data on the disk is valuable then the best (and most expensive) would be to seek for data recovery expert assistance. Advanced users can use InVircible Professional, the procedure how to fully recover a Compaq disk is described in the online documentation. One way or another, when you have your disk and data back, install InVircible and make its rescue diskette. In case the computer gets his by one of those nasties, it will then take just a minute to recover the hard drive. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Sat, 18 May 1996 12:02:23 +0000 (GMT) From: Zvi Netiv Subject: Re: Scanning Iomega Zip Drive (PC) X-Digest: Volume 9 : Issue 75 GUY NOCE/COMPUTING AND NETWORK SERVICES/X-3956 wrote: > Is there a way to scan the contents of a Zip Drive? My job requires > installation of Novell's Lan Workplace and 3Com NIC installation, both > of which jobs are speeded by the use of a Zip Drive (versus floppy > disks). Our standard practice is to use a reliable, up-to-date scanner > before beginning the installations (I use F-Prot, a co-worker uses > McAfee). So far, this method has worked quite well. > > It is necessary, however, in diing these installations, to leave the > zip drive in a non-write-protected mode. Although I trust F-prot in > most cases, sometimes I see something really weird that none of the > suite of AV products I carry turns up a positive finding. (Generally > these are probably nothing, just a corrupt command.com or something, > but it's worrisome.) In any event, it would please me to be able to > scan the contents of my Zip drive, which doesn't seem possible. > > Also, we occassionally need to download zipped files from the University > of Maryland bulletin board for use in specialty programs. Of course I > unzip the files on a virgin PC and scan them there. > > In any case, I reiterate my question: Can Iomega's Zip Drive be scanned? The problem isn't whether the zip drive has infected files but whether the machine you are working on is infected and will "donate" its infection to your zip drive and be transferred to the next client you service. This is the most common scheme how viruses are transferred, sometimes on an INFECTED SCANNER program. Servicing many sites and users, you are at the highest risk of becoming a virus carrier and diseminator (not yourself, of course, just the software you carry in various forms). Scanning isn't sufficient, although necessary. No matter how many scanners you use, there is always the possibility that the virus at hand is new, modified or just active and thus undetectable. There is a top notch scanner that won't see Nightfall when active in memory (although it detects it when booting clean) and it was the cause for spreading Nightfall to a whole cluster of servers! Natas spread the same way all over North America, because a couple of scanners failed to see it when active and servicemen brought Natas on their virus scanners from Mexico to the US. Read the story in George Smith's book, "The Virus Creation Labs". The key to handling the problem is generic AV, especially the detection part. InVircible will provide for that. Install IV to your home base machine and have all downloaded software actively screened under IV's surveillance. This should detect everything viral that escaped your scanner. Don't start a scanner without first assuring that the environment is clean by checking with IV's generic probes. You might be just spreading the next virus to Natas, Nightfall or Manzon by blindly scanning. Have a write protected floppy with IV and use it to check the HOST machine BEFORE launching your scanner. Only after having tested the host, first generically, then with your scanner, you can then proceed safely with your zip drive, without risking to CATCH a virus and pass it on. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Fri, 17 May 1996 23:04:37 +0000 (GMT) From: Zvi Netiv Subject: Re: running antivirals on infected PC's (PC) X-Digest: Volume 9 : Issue 75 "A.Appleyard" wrote: > How good are the latest versions of the various common antivirals (when > called from a server or a write-protected floppy on an infected PC that > has been booted from its hard disk) at (a) finding, (b) removing, the > various viruses? InVircible was designed to function in a hostile (virus infected) environment. With IDE drives, InVircible is the preferred way to remove stealth boot infectors (the majority of infections, from 70 to 80%, perhaps more) without needing to boot clean. InVircible will both detect and REMOVE those viruses upon booting from the hard drive. Note that IV does not identify the virus, just removes it, regardless whether it's new or common. As for file infectors, those are easily detected by IV's generic capture methods. Generic capture is far more reliably than virus scanning. Unlike scanners and signature/heuristics based TSR and VxD, IV is unobstructive and won't cripple your machine or take it over. Available from any of the sites in my signature. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Fri, 17 May 1996 23:05:08 +0000 (GMT) From: Zvi Netiv Subject: Re: Tremor help (PC) X-Digest: Volume 9 : Issue 75 Roy Mahfouz wrote: > does anybody knows how to kill TREMOR??? Tremor is a full stealth infector, and unlike other Neurobacher's viruses (Nightfall, Neuroquila), Tremor is not a fast infector. Because of it's full stealth property, Tremor is easilly rermoved by cooperative integrity recovery. Actually the virus removes itself. Boot from the infected drive and secure all files with IV's integrity program (IVB C: /S), when the virus is active in memory. Reboot clean from a DOS floppy and with a clean copy of IVB restore all programs to their *exact* preinfected state - with IVB C: /R. The same method works with all full stealth viruses (Nightfall, Neuroquila, Die-Hard etc.). InVircible doesn't need to be installed before being infected with Tremor, this method works on an already infected machine just the same. Fast, effective and safe. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Sat, 18 May 1996 03:16:18 +0000 (GMT) From: Temple Subject: Different scanners report diff viruses (PC) X-Digest: Volume 9 : Issue 75 We have the mcafee, f-prot, and dos virus scanners. Mcafee and dos both say that the memory is infected with monkey virus. F-prot says that memory is infected with the stoned virus. I checked the hard drive and floppy drive boot disk with f-prot and it said that they were clean, but for some reason we keep getting the report that memory is infected even after booting from a supposedly clean boot disk. Anyone have any suggestions? Is there a way to clean the memory? (When we try to run the scans including the memory, we get the message to reboot from a clean floppy). Thanks. [Moderator's note: Are you accurately reporting -exactly- what these scanners reported? I suspect not -and- that at least one of them is saying something to the effect "a new variant of". The Monkey and Stoned families of viruses are closely related, so it is not surprising in the case of new variants for there to be some apparent confusion. Make sure you have the latest versions of your scanners and check again, paying careful attention to the exact wording of the warnings you get. The issues involved in addressing your problem are all covered in various parts of the FAQ for this group: ftp://cs.ucr.edu/pub/virus-l/vlfaq200.txt] ------------------------------ Date: Sat, 18 May 1996 22:34:40 -0700 From: Sune Lundholm Subject: Cruncher (PC) X-Digest: Volume 9 : Issue 75 F-prot 2.22 (heuristic) reports Cruncher in a .comfile. (not in memory) It`s not supposed to be in the wild. Is it a known false alarm? Another question: When to use "paranoid" scan (not just F-prot) they (TBAV, AVP and others) reports lots of suspicious unknown viruses. Should you be "paranoid"? S ____________________________________________________________________ Sune Lundholm Teacher & Admin Satunaskolan sune.lundholm@sigkom.atd.se sune@novell.central.se http://www.central.se/satuna/satuna.htm ________________________________________Ars_longa_vita_brevis_______ [Moderator's note: The "paranoid" heuristics options of various scanners are mainly there for "experts" who should be better able than "typical users" to interpret what they report. At least one of the products you named clearly states this in the documentation and says "don't tell us about `false' reports with the paranoid option".] ------------------------------ Date: Sat, 18 May 1996 15:47:59 +0000 (GMT) From: Jock Mackirdy Subject: Stealth_Boot_C - what does it do? (PC) X-Digest: Volume 9 : Issue 75 When reading a floppy containing files copies from another PC my F-PROT Virstop TSR reported "Stealth_Boot_C detected". I was able to use F-Prot to disinfect my floppy disk. I now want to disinfect the PC from which I "caught" the virus but I need to know how long I can delay doing it. What does this virus actually *do* ? Jock Mackirdy Luton, uk ------------------------------ Date: Sun, 19 May 1996 12:39:52 +0000 From: Fridrik Skulason Subject: Re: NAV version 3.09 - spurious virus alerts (PC) X-Digest: Volume 9 : Issue 75 In <0022.01I4TYX3P7FWSKYVA0@csc.canterbury.ac.nz> David Cohen writes: >The problem appears to be memory related - when we run NAV from our >security shell front end (InControl v1.2), the memory scan reports >infection with the HLLC.HAPPY_MONDAY.B virus. Memory scan ? NAV doing a memory scan for non-resident HLL (Pascal or C) viruses ? No wonder you get false alarms. >In both cases the DOS TSR is loaded. The shell stays resident in >memory when running the other programs. However, no amount of memory >reconfiguration can resolve the problem. > >Any ideas? Get a better AV program. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Sun, 19 May 1996 10:54:42 -0500 From: Rod Murad Subject: Is my pc 100% better now? (PC) X-Digest: Volume 9 : Issue 75 I'm using a Gateway p5-60 with win '95. Also have the latest Anti virus by McAfee. McAfee cleaned both the Jumper B and the NYB virus from my machine. Chkdsk says that I have 655,360 total bytes of memory and my bios looks okay, is there anything alse I can do to make sure my system is okay? Maybe I'm just seeing ghosts but it seems like things are running much slower now. Almost like I have less ram. Thanks for the help, - - Keep Surfin, Rod mailto:rmurad@pionet.net http://WWW.pionet.net/~rmurad/ ------------------------------ Date: Sun, 19 May 1996 11:44:12 -0400 From: Bill lambdin Subject: Tremor (PC) X-Digest: Volume 9 : Issue 75 Graham Cluley writes >It is important for anti-virus products to detect Tremor in memory as it >is a full stealthing virus. Of course, Dr Solomon's can detect Tremor in >memory but we recommend that you cold-boot from a clean (virus-free) >write-protected disk before attempting the clean-up. Graham: I couldn't agree more. Complex viruses like Tremor, and others MUST be detected in RAM or generaly they will not be detected. This is one of the major reasons that I refuse to recommend InVircible written by Zvi Netiv. Below is an exact quote from the results of my last test of InVircible February 1996. - -------------------------------------------------------------------- Tremor This virus was selected because it is a resident, appending, polymorphic, fully stealthed, and Tunneling virus. This virus is in the wild. IVINIT.EXE reported "No virus activity detected in memory!" IVTEST.EXE reported "No virus activity detected at this time!" IVB.EXE reported "All file(s) match their recorded signature(s)." Since none of these report anything (while Tremor was active in RAM. the users would incorrectly assume there is no virus activity while Tremor continued to infect their programs. Since IV's Modules were unable to detect Tremor active in RAM or on infected files while Tremor is active. Users of IV are very succeptable to this and other similar viruses. The only way IV can find Tremor is to boot clean and run IVB from the secured rescue diskette mentioned earlier. After I booted clean. and IV was in a position to take control; IV found Tremor easily. How are users supposed to know there is anything wrong, and know to boot clean from a secured diskette? Failure. - ------------------------------------------------------------------- Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Sun, 19 May 1996 11:44:22 -0400 From: Bill lambdin Subject: Tremor (PC) X-Digest: Volume 9 : Issue 75 Graham Cluley writes >Tremor > >Type: Memory-resident file virus > >Affects: Fast infector: COM and EXE files on execution and almost on any >access. COM files are infected only if they start with 0E9h byte (JMP >instruction). This is not entirely correct. Tremor is not a fast infector, and Tremor will infect COMMAND.COM. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Sun, 19 May 1996 11:44:26 -0400 From: Bill lambdin Subject: Brain (PC) X-Digest: Volume 9 : Issue 75 Graham Cluley writes >The reason why I'm asking is that all the versions of Brain we have ever >seen only infect floppy disks - they don't infect hard disks at all. I'm >just wondering whether you might have a false alarm. You;re correct about the original brain BSV (Boot Sector Virus) only infects the boot sectors of floppies mostly 360K diskettes. But isn't there a variant named Shoe, or Shue that infects the MBR of the hard drives? Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Sun, 19 May 1996 11:44:31 -0400 From: Bill lambdin Subject: False alarms (PC) X-Digest: Volume 9 : Issue 75 Bruce Burrell writes > No. But come on, Bill: you've snipped a whole bunch of stuff both >that states the situation of JMCarlini, and qualifies my response: I agree that running a program to determine if a virus replicates, or disassembling the files for analysis is a good way to determine if it is a false alarm or a real virus. However; your message implied that users should run the file on their system. It is best for users to send the virus infected files or false alarms to a virus researcher or A-V developer for analysis. My original objection stands. because it is much easier for users to handle a virus in one file instead of having to clean 5-100 infected files on a hard drive. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Sun, 19 May 1996 17:46:51 -0400 From: Lilabaer Subject: Need information about quandary-virus. (PC) X-Digest: Volume 9 : Issue 75 Gotcha. Quandary boot virus sitting in my mbr. Located by f-prot, but could not removed. System message : could not find original mbr ??? I have tried everything. Of course I have booted from clean disk. But F-prot isn't be able to remove virus. Just above message. Fdisk / mbr changes nothing. Forget my english. Just help. No files are infected yet. Virus database contains no information because I only use the shareversion. It looks like a very new one. No other virusscanner knows him. Last but not least - formating the disk - without succes. PLEASE ... :-((( Dirk ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 75] *****************************************