VIRUS-L Digest Wednesday, 22 May 1996 Volume 9 : Issue 76 Today's Topics: Yisrael Radai dead at 63 Re: Word Macro Virus cleaner wanted Re: Macro Viruses (Concept etc.) Re: Rebooting, OSs... Re: Rebooting, OSs... Re: Rebooting, OSs... Re: Rebooting, OSs... Re: Rebooting, OSs... Re: How can you tell a false positive from a REAL virus? Re: Word Macro Virus cleaner wanted Re: Scanner for DEC Alpha running NT (NT) Evil Rabbit Appleshare file--a virus? (MAC) Virtsop problem with Win95 (WIN95) Re: NAV95 Rescue Disk problems (WIN95) Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) Re: Sporadic system slow-downs virus related? (PC) Re: Scanning Iomega Zip Drive (PC) Re: Client based virus scanner for Lotus Notes ?? (PC?) What's new in InVircible 6.11 (PC) Re: Master Boot infections on Compaq / IBM systems (PC) Print-Screen Boot Virus (PC) TBAV false alarms in Acad13? (PC) Re: NAV and F-PROT problems with NYB (PC) Uneven Variant (PC) Bios virus? (PC) Monkey_B virus? (PC) Re: Scanning Iomega Zip Drive (PC) Smiley face virus? Dunno what it's called! (PC) RE: MS anti-virus updates. (PC) Re: Stealth_Boot_C - what does it do? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Tue, 21 May 1996 02:18:56 -0500 (EST) From: "Rob Slade, doting grandpa of Ryan & Trevor" Subject: Yisrael Radai dead at 63 X-Digest: Volume 9 : Issue 76 Virus Research Leader Dies Yisrael Radai, a respected pioneer and leader in computer virus research, has died at the age of 63. Radai, a brilliant theoretician and careful scholar, had been an important contributor to the international virus research community since its inception, and will be missed. Computer virus research was only a small part of his work and interest in the field of computing, but his postings were important, insightful, and always accurate. His incisive and probing analysis of the faults in the Microsoft Anti-Virus is the last word on the subject. According to a report from a CARO member in Israel, he died of a sudden and painless stroke. Remembered by friends as a lifelong learner and always interested in the new field, it is somehow fitting that he died as he was preparing to leave for the University where he worked. He is recalled by those who knew him as a friend, scholar, eager student, sharp wit, and mentor. The virus research community is saddened by his loss, but the better for his having been a part of it. ====================== ROBERTS@decus.ca rslade@vanisl.decus.ca Rob_Slade@mindlink.bc.ca The client interface is the boundary of trustworthiness - T. Buckland Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) ------------------------------ Date: Mon, 20 May 1996 08:02:40 +0000 (GMT) From: Zvi Netiv Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 76 Iolo Davidson wrote: > kurtzhal@wrcs3.urz.uni-wuppertal.de "Stefan Kurtzhals" writes: >> Yes, -TOO- generic. IVX had 100% false positives here on my system with >> all antivirus-macros like SCANPROT, lots of regular tool macros and >> others. >> IVX also fails to detect macros in DOC files larger than 500 KB. It missed >> 50 Concept samples in such large files. You have to redesign IVX I think. > Oh, no! Does this mean that Invircible will have to have another > (GASP!) update? That won't be necessary as IV works fine in all instances mentioned by Mr. Kurtzhals. It's blatant disinformation. As an ex technical reporter and an ex programmer for S&S, I would think you are capable of assessing the credibility of what you quote. You could for example check IVX with SCANPROT.DOT as the latter is available to all. IVX does not false alarm. The rest of Mr. Kurtzhals' claims are as true as this one. BTW, did you try his MEGATEST boobytraps? :-) - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 20 May 1996 07:31:26 -0400 From: Scott Hessel <73410.3155@compuserve.com> Subject: Re: Macro Viruses (Concept etc.) X-Digest: Volume 9 : Issue 76 CLAYTON E RUTH wrote: > My primary problem with Word Macro viruses is getting them out of > cc:Mail file attachments. I look forward to the day (hopefully soon?) > when one of the many AV developers out there comes up with something > that will intercept them and clean them up as they pass from cc:Mail to > Word when the user double-clicks the attachment. It would be even better > to back-feed the cleaned-up document into cc:Mail so that the infected > document can't be forwarded to someone else. I can't trust users to > assume the responsibility of cleaning documents themselves; I want to > automate it as much as possible. Not that I'm plugging any one brand, but I just received a snail-mail flyer from ON Technology that boasts a MS Word DLL that runs a real-time AV check against macro viruses. Maybe they've got the right idea, although I can see it potentially dragging down the performance of the system. I just sent away for a 30-day eval of the product. What the heck. It's worth a look . . . . - - -Scott Hessel -- "I have seen ducks, therefore I am grown up." -Ali, age 2 (my daughter) ------------------------------ Date: Mon, 20 May 1996 08:23 +0000 (GMT) From: CLAYTON E RUTH Subject: Re: Rebooting, OSs... X-Digest: Volume 9 : Issue 76 >First off, do you really have to turn off the computer instead of >rebooting when you think/know you have a virus and want to boot from a >floppy? I mean, doesn't a warm boot clear the entire memory banks? It all depends on the virus. In most cases you're correct; however, some viruses intercept the system reboot vectors so that they can remain active through the reboot process. The safest thing to do is power down; no virus can survive that. >A friend once got the Ripper virus on his machine...Cleaned it and >the hundreds of floppy disks, then ran NDD on the hard drive to check >for errors (F-PROT said it corrupts approx. 1 in every 1000 disk >writes), but found none whatsoever. Anybody know why? NDD can't detect a deliberately corrupted file. It checks for allocation errors, which typically occur if the system hangs after a disk write but before the associated file is closed (e.g., while temporary files are open) or when a write-back disk cache gets tripped up. Ripper deliberately interchanges a couple of words in the data buffer before it is written; this invalidates the file without causing allocation errors. The damage is very difficult to detect because no software could possibly know what was supposed to be in your file. All files created or updated during a Ripper attack should be regarded with suspicion. Clay Ruth PC Configuration Manager / Senior Lead Systems Software Analyst Sargent & Lundy, L.L.C., Chicago, IL http://www.slchicago.com Clayton.E.Ruth@SLChicago.Infonet.com [Moderator's note: Further to Clay's (and Iolo's earlier) response, it is possible that NDD may fix -some- of Ripper's handiwork, as Ripper is not at all choosy about which writes it swaps bytes on. Thus, some FAT and directory writes can be corrupted by Ripper and should be detected (and may be fixed) by utils like NDD.] ------------------------------ Date: Mon, 20 May 1996 14:18:18 +0000 (GMT) From: Wolfgang Weisselberg Subject: Re: Rebooting, OSs... X-Digest: Volume 9 : Issue 76 bluefox@easynet.on.ca, who is called Jad wrote one day: > Hello all. I have been reading a lot in this mailing list for a while, and > it seems there are quite a few people who know what they are talking > about. > Anyway, I wanted to ask a few questions. > First off, do you really have to turn off the computer instead of > rebooting when you think/know you have a virus and want to boot from a > floppy? I mean, doesn't a warm boot clear the entire memory banks? And a > cold boot should do it for sure. I once downloaded a program, and for some Surviving a warm boot is NO problem. A power off cannot be confused with a warm boot (a cold boot can). There are computers (I know at least 1 modell 1.handed) that have no reset button. > reason ran a BBS and program before scanning all the files. I then ran > TBAV and it said it was possibly infected. I did a warm reboot, cleaned > the Tai-pan virus from TBSCAN and the BBS ad with no problem(using my > second scanner, F-PROT). Any comments? Some viruses do not survive a warm boot, some do. If they do they DO often hide from (almost) all scanners, including TBAV, F-PROT (very easy!), etc. > Also, how are operating systems like Unix, OS/2(using the HPFS file > system) with viruses? Are they more "immune" to viruses than the DOS and > Win/Win95 operating systems? It's not as easy. The protection against not allowed people is working and you do (almost) never get the executable. You get the source code instead. Finally, it's not as tempting - you cannot just format the HD like you can with DOS. > A friend once got the Ripper virus on his machine, which was not detected > by CPAV, MSAV(yuck), or NAV until I thought of giving him some real > scanners. We run them just for fun, and TBAV found the Ripper virus in the > boot sector. Cleaned it and the hundreds of floppy disks, then ran NDD on > the hard drive to check for errors(F-PROT said it corrupts approx. 1 in > every 1000 disk writes), but found none whatsoever. Anybody know why? Because 'corrupt' here means 2 bytes are switched. Like this: Original: Because 'corrupt' here means 2 bytes are switched. Ripper: Because 'corrupt' he2e means r bytes are switched. See? Without a checksum you will not find the change - not in an executable. But slowly the programs get buggy - and tend to crash. Reinstallation is your only hope. > Last thing. Would it be possible to write software to make the partition > (MBR) table and boot sector "read only"? If so, would it be easy for > viruses to defeat the software protection? Every software can be overwritten with software. It might not be very easy, but it can be done. (Like stealth and anti-stealth.) Have a look at the bootsector-protection TBAV can install. - -Wolfgang - - "finger weissel@moon.ph-cip.uni-koeln.de" for my PGP-Key, or mail me. Verbietet Autos, Geiselgangster koennten damit fluechten! Outlaw cars, kidnappers might use them to escape! ------------------------------ Date: Mon, 20 May 1996 19:45:23 +0000 (GMT) From: Tom Simondi Subject: Re: Rebooting, OSs... X-Digest: Volume 9 : Issue 76 Jad penned: >First off, do you really have to turn off the computer instead of >rebooting when you think/know you have a virus and want to boot from a >floppy? I mean, doesn't a warm boot clear the entire memory banks? And a >cold boot should do it for sure. You should clear memory before attempting any anti-virus work (OK, there are a few exceptions, let me make the point please ). A warm boot does not clear memory. Indeed, there are a number of viruses that trap the Ctl-Al-Del keystroke combination and simulate a warm boot. So, if you are infected with one of these and "warm boot" you continue to be infected even though you think you restarted the computer. A cold boot does clear memory and the most effective way to cold boot is to turn the computer off, count to ten, and then turn it back on (the ten count helps with some older model power supplies). Now, before I get a comment on it, on many computers pressing the reset button has the same effect as turning the computer off/on. The trick here is to watch when you press the button. If the BIOS forces a full memory check (i.e., you can watch the numbers cycle through your full memory a couple of times) then you can safely assume you've cold booted. If you don't see the memory check, then I'd power cycle to make certain. > I once downloaded a program, and for some >reason ran a BBS and program before scanning all the files. I then ran >TBAV and it said it was possibly infected. I did a warm reboot, cleaned >the Tai-pan virus from TBSCAN and the BBS ad with no problem(using my >second scanner, F-PROT). Any comments? You got lucky . >Also, how are operating systems like Unix, OS/2(using the HPFS file >system) with viruses? Are they more "immune" to viruses than the DOS and >Win/Win95 operating systems? Good news and bad news: The good news is that they are somewhat more secure, but not completely and can be infected. The bad news is that some older (buggy) viruses will really mess up some of the newer systems when they attempt to infect them. >A friend once got the Ripper virus on his machine, which was not detected >by CPAV, MSAV(yuck), or NAV until I thought of giving him some real >scanners. We run them just for fun, and TBAV found the Ripper virus in the >boot sector. Cleaned it and the hundreds of floppy disks, then ran NDD on >the hard drive to check for errors(F-PROT said it corrupts approx. 1 in >every 1000 disk writes), but found none whatsoever. Anybody know why? I'm a bit surprised NAV did not detect the Ripper virus. Copies of NAV I have will do so. Ripper will corrupt data on the disk, about 1 out of 1000 disk writes, by reading through the disk and after every 1024 bytes switching the next two bytes around. If those two bytes are not in a location where there is a file, then no damage is done. Or, OTOH, there may be some corrupted files on the system but he just hasn't found them yet (e.g., in a program or data file he doesn't access often or in a part of a program that is not executed often). >Last thing. Would it be possible to write software to make the partition >(MBR) table and boot sector "read only"? If so, would it be easy for >viruses to defeat the software protection? Most anything written in software can be gotten around by software. =-=- Tom Simondi -=-= Visit the Computer Knowledge home page -=-= =-=- http://www.slonet.org/~tsimondi/ck.htm -=-=-=-=-=-=-=-= =-=- E-mail: 75655.210@compuserve.com -or- tsimondi@slonet.org -= ------------------------------ Date: Tue, 21 May 1996 04:43:55 +0000 (GMT) From: "Michael J. Shepherd" Subject: Re: Rebooting, OSs... X-Digest: Volume 9 : Issue 76 In a previous article, bluefox@easynet.on.ca (Jad) says: >First off, do you really have to turn off the computer instead of >rebooting when you think/know you have a virus and want to boot from a >floppy? I mean, doesn't a warm boot clear the entire memory banks? And a >cold boot should do it for sure. I once downloaded a program, and for some >reason ran a BBS and program before scanning all the files. I then ran >TBAV and it said it was possibly infected. I did a warm reboot, cleaned >the Tai-pan virus from TBSCAN and the BBS ad with no problem(using my >second scanner, F-PROT). Any comments? Well, it is a good idea to power the computer down before bootin from a floppy when the PC is infected. CTRL-ALT-DEL does not clear the memory banks completely (trust me, I know), a RESET should, but doesn't always, and a power down does. >Also, how are operating systems like Unix, OS/2(using the HPFS file >system) with viruses? Are they more "immune" to viruses than the DOS and >Win/Win95 operating systems? Not sure. Anyone else care to comment? >A friend once got the Ripper virus on his machine, which was not detected >by CPAV, MSAV(yuck), or NAV until I thought of giving him some real >scanners. We run them just for fun, and TBAV found the Ripper virus in the >boot sector. Cleaned it and the hundreds of floppy disks, then ran NDD on >the hard drive to check for errors(F-PROT said it corrupts approx. 1 in >every 1000 disk writes), but found none whatsoever. Anybody know why? CPAV, MSAV are really shitty scanners. Why they were even produced I don't know. NAV is okay. I've used the Win95 version to clean floppies of one particular virus (can't remember the name) by just accessing the floppy. NAV would then find the virus and at my command remove it. >Last thing. Would it be possible to write software to make the partition >(MBR) table and boot sector "read only"? If so, would it be easy for >viruses to defeat the software protection? Um, go look at On-Track's Disk Manager. You can lock partitions with that. - - Mike Shepherd (aka: the Sheepster) If you're ever in trouble on the water, the first thing you'll see is a bunch of maniacs in a rubber boat, comin' for to carry you home. ------------------------------ Date: Mon, 20 May 1996 17:24:08 +0000 (GMT) From: George Wenzel Subject: Re: Rebooting, OSs... X-Digest: Volume 9 : Issue 76 In article <0005.01I4XSHCJYIMSKYVA0@csc.canterbury.ac.nz>, Jad wrote: >Anyway, I wanted to ask a few questions. I'll do my best to give you some answers. :-) >First off, do you really have to turn off the computer instead of >rebooting when you think/know you have a virus and want to boot from a >floppy? I mean, doesn't a warm boot clear the entire memory banks? Theoretically, yes, but keep in mind that the keyboard input is interpreted by the computer before it is executed, and that includes control-alt-delete. Some viruses actually do intercept these keys, and they don't get cleared from memory if control-alt-delete is used, since they intercept the commands. A cold boot only takes a few seconds more, and is much safer. >And a >cold boot should do it for sure. I once downloaded a program, and for some >reason ran a BBS and program before scanning all the files. I then ran >TBAV and it said it was possibly infected. TBAV says a lot of things are 'possibly infected' - its heuristic analysis does have a lot of false alarms. >I did a warm reboot, cleaned >the Tai-pan virus from TBSCAN and the BBS ad with no problem(using my >second scanner, F-PROT). Any comments? Basically, it depends on what virus you have. I'd suggest cold-booting all the time, since it is somewhat simpler than saying 'you can warm boot, unless you have xxx and yyy and zzz viruses'. A cold boot is considerably safer, and not that much harder to do. >Also, how are operating systems like Unix, OS/2(using the HPFS file >system) with viruses? Are they more "immune" to viruses than the DOS and >Win/Win95 operating systems? That depends on the viruses. Boot sector viruses can infect any system with both a floppy and a hard drive, so the OS doesn't matter that much. File viruses are a bit more tricky, but OS/2 can be infected by quite a lot of DOS viruses. Unix is considerably safer from viruses, but boot sector viruses can still infect a Unix system. >A friend once got the Ripper virus on his machine, which was not detected >by CPAV, MSAV(yuck), or NAV until I thought of giving him some real >scanners. CPAV and MSAV are pitiful. NAV isn't too bad, providing it is updated a lot. >We run them just for fun, and TBAV found the Ripper virus in the >boot sector. Cleaned it and the hundreds of floppy disks, then ran NDD on >the hard drive to check for errors(F-PROT said it corrupts approx. 1 in >every 1000 disk writes), but found none whatsoever. Anybody know why? Not every disk write that is corrupted will show up with NDD, and it depends on how many disk writes you had. 1 in 1000 isn't too bad a probability, so you probably just didn't get any corruption, or NDD didn't detect the corruption. >Last thing. Would it be possible to write software to make the partition >(MBR) table and boot sector "read only"? If so, would it be easy for >viruses to defeat the software protection? Viruses can basically defeat any software method of protection, since viruses can do pretty much what any other software can do. That's why scanners always (hopefully, depends on the scanner) scan memory before scanning the disk. Making the MBR invincible from all pure boot sector viruses isn't too hard - just enter the BIOS setup, and make the boot sequence C: before A:, or C: only. That way, you can never start the computer from an infected floppy, so you can't get a pure boot sector virus (multipartite viruses are a little different, though). >That's all for now. :) I hope to get active in this mailing list, it >looks interesting. You might want to also check out the newsgroup counterpart, comp.virus. Alt.comp.virus is interesting too, but some of the threads get just a tad off topic. Regards, George Wenzel - - |\ _,,,--,,_ ,) George Wenzel /,`.-'`' -, ;-;;' Student of Wado Kai Karate |,4- ) )-,_ ) /\ University of Alberta Karate Club <---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Tue, 21 May 1996 03:00:09 -0400 From: Bill lambdin Subject: Re: How can you tell a false positive from a REAL virus? X-Digest: Volume 9 : Issue 76 Anthony Pfrunder writes >If Scan reports an infection of the Bandit virus just after running >tbscan (or any of the other tb utilities) then it is a false alarm. This doesn't mean a false alarm. It could be a false alarm, and it could be you have a virus that scan did not detect. I have about 100 viruses that Scan did not detect in my last test that were real viruses, and detected by AVP, F-Prot, and TBAV. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 21 May 1996 10:57:56 +0200 From: Stefan Kurtzhals Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 76 > > Yes, -TOO- generic. IVX had 100% false positives here on my system with > > all antivirus-macros like SCANPROT, lots of regular tool macros and others. > > I just tested IVX on three versions of SCANPROT that I have, no false > alarm. I downloaded the shareware version 6.11a. If you use a newer, improved version, this can be true of course. So, if you have improved IVX, when do you release INV611B.ZIP ? > > missed 75% of all trojans. You just have to use other macros than AutoOpen > > and FileSaveAs to fool IVX. A -very- weak protection! > > Thanks for the suggestions but you got it all wrong. And why did IVX missed macro viruses which use "DateiSpeichernUnter" instead of FileSaveAs? Or why did IVX miss Macro.Trojan.FormatC when you change the AutoOpen to AutoClose ? It also reports WWAMK, AVPWW, SCANPROT and others. They all contain suspicious macros, so because IVX is generic, it SHOULD detect the Auto* macros inside. Think about a trojanized version of SCANPROT! Please send me a newer version of IVX and I will test it and will post the results here. > > IVX also fails to detect macros in DOC files larger than 500 KB. It missed > > 50 Concept samples in such large files. You have to redesign IVX I think. > > I checked IVX against Concept on huge docs (Eudora's - about 1.5 meg - and > my own product's manual). IV both found Concept and cleaned it like a > charm. Well, the 2 MB test file I used is a regular infected Concept bait file. The virus is detected by F-PROT, TBAV, SCAN and FINDVIRUS. But IVX doesn't detect it. I can't say more about it. If you say I'm wrong, I must be wrong. :-) > Are you by any chance the same Stefan Kurtzhals that authored the MEGATEST > boobytraps? (Crypt newsletter #35, interesting reading!). > > I am not familiar with German law, so can you please enlighten us what it > says about writing destructive code and giving it to others, without > warning them of its destructive nature? Before you go on with claiming things which are not true let me say something about it. When I stumbled over this MSDOS bug I tested several AV programs against it. INVIRCIBLE heavily relies on booting from a clean system disk in such cases (when the system can't be booted from HD anymore). I contacted Rob Casas and told him about that but he said that INV doesn't has problems with this. I sent him a test file which installs the bug into the MBR, but I told him to: a) be careful with the program and backup the zero track b) Keep a IBM-DOS bootdisk at hand (this is the easiest way to bypass the bug) I don't know why Rob (and now you) claim that I didn't warn him or why he chooses to ignore my warnings. I sent a warning, that's all I can say about this. I sent Rob Casas the file in order to help him (and you) improving INVIRCBILE. No one here wants to make INV bad, but I think you exagerate a little bit with you claim that it's a 100% protection against ALL viruses and that it doesn't need regular updates. I thought you are a reasonable AV which can be talked to, but this reply from you shows something different. I read the mail war between you and Vesselin Bontchev some time ago, and this looks like the same. I think this is a very strange behaviour for a PROFESSIONAL AV developer. When I talk to other AV developers I don't have problems. We exchange news, information, warn about bugs in the programs but all in a very relaxed and friendly way. Why is this not possible with you? :-( I'm in no way a competitor to you! So why do you get so upset this way? > The seriousness of the above is that it seeds ideas to virus writers for > an extremely problematic payload for their viruses. Crypt newsletter #35 > quotes Kurtzhals for bragging on his affiliation with VLAD, a virus writer > group. The quote in CRYPTLETTER was ripped out of my mail in a total wrong way. Is EVERYONE who reads #virus on IRC affilated with VLAD? Oh, I saw Mikko Hypponen and other AV's there, of course they are all affiliated with VLAD regarding your conclusion... And after all, if some virus coders now use this bug you can blame CRYPTLETTER for explaining it in such details. Great job! :-( > > *** F/WIN - HEURISTIC VIRUS DETECTION AND REMOVAL *** > > Be at rest Mr. Kurtzhals, I have no intent to check for the flaws in your > product. Not worth my time. Oh, you don't have to test. The way you seem to test is not the way I want to test AV programs which get sold. AV is just a hobby for me, and I don't want to claim wrong things about my program and I don't want to make money out of the fear of the people. bye, Stefan Kurtzhals ------------------------------ Date: Mon, 20 May 1996 08:02:49 +0000 (GMT) From: Zvi Netiv Subject: Re: Scanner for DEC Alpha running NT (NT) X-Digest: Volume 9 : Issue 76 Ben Danielson wrote: > My university has a number of DEC Alpha servers running Windows NT. I am > finding that most scanner software works well on an Intel based system, > but not on our Alphas (sorry, I just dont know the right lingo for the > Alpha chipset). I am hoping that someone might be able to help me with: > > 1. Is there a product that has been tested and proven to work in this > environment? InVircible 6.11 works on PowerPC / NT. It should work just the same on DEC's Alpha. As long as you can run a DOS compatible mode (NT's command prompt, for example) then InVircible will do the job. The very same version of IV works directly under DOS, Windows 3.x, Win 95, NT and OS/2. You can install InVircible centrally, to all workstations / clients from the server(s). > 2. Do any of the major AV products (Norton,McAfee,FProt,or Dr.Solomon) > plan on addressing this compatibility issue in the near future? I read that S&S are to release their NT version in July. Others should (or already) have dedicated versions for NT. If your have diversified platforms and environments then a standardized AV like InVircible could better suit your needs. > We dont have a huge computer base, but we are looking for something that > works before we commit to a site license for 1000 PC and 12 NT servers. You have 30 days for a free trial of IV before you commit anything except time. Please contact me via e-mail if interested. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 20 May 1996 23:15:13 +0000 (GMT) From: Richard C Garella Subject: Evil Rabbit Appleshare file--a virus? (MAC) X-Digest: Volume 9 : Issue 76 On our network of Macintoshes, strange things have been afoot: Crashes, network problems and more. I found on the desktop of each of the Macs an invisible file called Appleshare PDS, with a evil-looking rabbit, wearing sunglasses, as its icon; this file cannot be trashed (in use). On the worst-affected machine there was also a file with the same icon, in the System/Prefs/File Sharing folder; that file was named with a fragment of text. Both files, when pried open with Norton Disk Editor, contained fragments of recently used documents. Neither Disinfectant 3.6 nor SAM detects these files. As we are located in Cambodia, and I cannot access the usenet or this account after this Friday when I return there, please e-mail any information to aafc@pactok.peg.apc.org , with FOR RICH as the subject. Please, no advertising or lengthy text because our store-forward e-mail is very limited--but I do appreciate any help. - - Rich Garella *********** garella@libertynet.org ***********Philadelphia ------------------------------ Date: Mon, 20 May 1996 12:16:16 +0000 (GMT) From: MIKE EVANS Subject: Virtsop problem with Win95 (WIN95) X-Digest: Volume 9 : Issue 76 could anyone suggest why virstop (f-prot222) conflicts with win95. a virus error is generated, i think by win95, to which it claims virstop is the culprit. are there anyways to avoid this, other than not using virstop. ------------------------------ Date: Mon, 20 May 1996 08:31:12 -0500 From: maciej.tasz@mixcom.com Subject: Re: NAV95 Rescue Disk problems (WIN95) X-Digest: Volume 9 : Issue 76 David Lazarus wrote: > I upgraded my NAV95 virus listing with the May 1996 > list. Since I did this my system fails with a > message "The virus was found in memory". I was > running NAV 95 without the latest updates. Somehow > a memory area virus found its way onto my system > and only the May 1996 updates detected it. > > But the rescue disk is helpless. I updated in from > a clean system and booted on the infected system > with it,but after putting the second diskette in > and running NAVBOOT it halts the system with the > same message. > > Can anyone help? I am currently going to try > mcafee. I solved my problem! I really had a Ripper virus, in my partition sector (I am running a Disk Manager to handle the 1Gb drive). Neither NAV 95 nor McAfee could help: they recognized the virus, but did not repair the disk. The package which helped was Dr Solomon's stand-alone DOS module. This package not only recognized the virus, but also fixed the problem. After that, all three programs are happy with my disk. Dr Solomon's DOS scanner is the only part of the package that was available for free evaluation from http://www.drsolomon.com. Maciej. ------------------------------ Date: Mon, 20 May 1996 11:40:46 +0000 (GMT) From: Pavel Machek Subject: Re: NYB, Form, or Stoned Virus Physically Damages HD? (PC) X-Digest: Volume 9 : Issue 76 Ken Stieers (kstieers@ontrack.com) wrote: : Chris, : NONE of these viruses damage the hard drive physically, in fact I'm fairly : confident in saying that NO KNOWN virus damages CURRENT hardware within : the last 2 years or so. (this also means the old wheeze about blowing up : old monitors with new video cards set to high refresh rates. Old monitors : aren't current.) Chances are that NDD trashed the MBR and or boot sector : since the only thing it had to go on that wasn't virus affected would be : CMOS. NDD checks the CMOS, partition table and boot sector of the first : partition and they all have to match, though each holds slightly different : info. None of yours matched so NDD choked on it. Get someone who knows : how to deal with low level dos structures to rebuild the MBR and BPB (boot : sector) and you'll be fine. Heck, Norton's over the phone data recovery : might be able to do it for you (about $100/hr, I think). You should know, that if partition table is bad in very special way, then it is impossible to boot dos even from floppy. Try linux instead. BTW (I see poster is from ontrack). May you contact me via e-mail, please? - - This looks like my signature... Pavel Machek If you want more info about me, http://novell.karlin.mff.cuni.cz/~pmac5296. ------------------------------ Date: Mon, 20 May 1996 11:31:42 +0000 (GMT) From: Pavel Machek Subject: Re: Sporadic system slow-downs virus related? (PC) X-Digest: Volume 9 : Issue 76 James R. Mac Donald (jrmd@thehole.win.net) wrote: : Further to my previous post, another friend seems to be having the following : problem lately: : In performing simple, rudimentary tasks (i.e. dos edit from within : Windows, being in Netscape, running Windows Apps, etc.) his system : "hangs" for approx. 30 to 60 secs. After this time, he then audibly will : hear the hard drive engage and he'll be free to continue his processes. : Does anyone know of a virus that would simulate this scenario? We tried : running thru a recent log file of possible virii, but we didn't see one : that accomplishes a momentary "hang". Netscape is program with too many bugs. Also, some power-saving can do such things. (When you turn on power saving on harddrive, you'll get something similar. But you can HEAR it.) Does it happen when not running Windoze? - - This looks like my signature... Pavel Machek If you want more info about me, http://novell.karlin.mff.cuni.cz/~pmac5296. ------------------------------ Date: Mon, 20 May 1996 14:25 +0000 From: Graham Cluley Subject: Re: Scanning Iomega Zip Drive (PC) X-Digest: Volume 9 : Issue 76 In-Reply-To: <01I4TYX3P7FWSKYVA0@csc.canterbury.ac.nz>, GUY NOCE/COMPUTING AND NETWORK SERVICES/X-3956 writes: > In any case, I reiterate my question: Can Iomega's Zip Drive be > scanned? Dr Solomon's Anti-Virus Toolkit can certainly do this. I know at least one other anti-virus product which seems to have a problem however. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Mon, 20 May 1996 15:35:53 +0200 From: Mikael Albrecht Subject: Re: Client based virus scanner for Lotus Notes ?? (PC?) X-Digest: Volume 9 : Issue 76 Anders Storm wrote: > Does anybody know of any virus protection products that are client based > for Lotus Notes? > > It should be able to scan for virus in file attachments before they are > detached or lunched, preferably it should be able to use any virus- > scanners available on the market (e.g. McAfee, Dr. Solomon's). > > Anders Storm Any memory resident scanner (or VxD under Windows) will do. WinGuard included in Dr. Solomon's Anti-Virus Toolkit, for example, catches viruses when the client software writes it to a file on the local disk (make sure you use the "Scan on writes" option). This works the same way regardless of the used client software, for example Notes, Netscape or MS-Mail. This solution can't find a virus when it is stored inside the used system, but catches it as soon as the client extracts it, and prevents any system from running/opening the file. This solution is of course harder to install than a system running on your server. You have to install this solution in every workstation, but there are also other good reasons to use a solution like this. More info: http://www.drsolomon.com http://www.qainfo.se Mike - - Mikael Albrecht http://www.lanvision.fi/mikke/contents.htm LAN Vision Oy - Dr. Solomon's Anti-Virus, Utimaco security Welcome to visit us at: http://www.lanvision.fi/ Utilities for AV & security: ftp://ftp.lanvision.fi/ ------------------------------ Date: Mon, 20 May 1996 16:56:34 +0300 From: Zvi Netiv Subject: What's new in InVircible 6.11 (PC) X-Digest: Volume 9 : Issue 76 The following improvements were introduced in InVircible new version: Version 6.11 automatically adapts to the operating system running on your machine. IV now directly functions in every environment and on every platform that can run in DOS compatibility mode. These include DOS from version 3.30, Windows 3.x, Windows 95, Windows NT and OS/2, Intel based machines as well as PowerPC, running under NT 3.51 and 4.0. An on-line hypertext user's guide for Windows was added with version 6.11. The file's name is IVMANUAL.HLP and it can be added as an icon on the Windows desktop, for quick reference. IV's winhelp contains screen captures and detailed procedures and tips. You can produce a formatted hard copy of selected topics from the IV manual, through Windows Print Manager. Version 6.11a has a generic "Word Macros" mode added to IVX. The latter will detect forced macros in Word documents and templates and CLEAN them on request. Furthermore, you can use IVX in batch mode for handling macro viruses and the new INSTALL program can edit the test for macro malware right into the autoexec (see below). Attention network administrators! The new Word Macro mode in IVX has provisions for testing a workstation's integrity right at logging in to the network. Affected workstations can be spotted now right as they login and refused access to the network. For details see appendix G in the DOS online hypertext, or search for "macro" in the Windows IV manual. The editing of the Bios Parameter Block (BPB) of logical drives' boot sector was added to ResQdisk. This facilitates the recovery of hard drives with non-standard configurations such as Compaq models and multiple partitions with dynamic boot overlay drives (DDO), as well as NT servers and workstations. Batch processing of floppies with the IVX correlator was added. The IVX correlation-scan parameters need to be entered just once to process floppies in bulk. New IVLOGIN /Q switch. When run with the /Q switch, IVLOGIN will query the workstation whether the daily integrity check (IVB DAILY) did run. IVLOGIN returns an errorlevel 0 if the test was run and 1 otherwise. The integrity query switch can be used by network administrators to refuse access to users that disabled the IV daily integrity check. The memory stealing alert was modified to a threshold of 7 Kbytes for drives using dynamic boot overlay (DDO), thus eliminating the nagging message resulting from this source. The "dynamic boot driver" message related with Ontrack's DM and MicroHouse EZ-Drive was removed from IVINIT. Windows 95 enables booting to DOS by swapping and renaming the system files (IO.SYS and MSDOS.SYS). In result, IVB reported changes every time the computer was booted to a different OS from the previous one. IVB now identifies legitimate swapping between Win 95 and previously installed DOS. The INSTALL program menus were changed for user's convenience. The main functions were moved to the first level menu (the default). INSTALL's default options are now: installation, the preparation of the rescue diskette, installation or retraction of the license registration, installation or removal of IVTEST in / from batch files, and removal of IV related files (*.NTZ and signatures). The on-line registration is now assigned to F10 and was removed from the menus. On-line help is now accessed through F1, as is the standard in most software. Where Winword is found in the search path, the user will be prompted if to include the Word templates integrity check against macro malware, in the autoexec. The templates test is extremely fast, it takes just a few seconds and is highly recommended. InVircible is available from the vendors' sites on the Internet, from Compuserve (go invircible) and from AOL. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 20 May 1996 16:57:11 +0000 (GMT) From: "John A. Beach" Subject: Re: Master Boot infections on Compaq / IBM systems (PC) X-Digest: Volume 9 : Issue 76 In article <0030.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz>, vissj@gww.nl says... >- Why the diagnostic partition? It appears that normally it can only be >activated by running programs from a diagnostic diskette. In that case you >can do all diagnostics running from diskette. The diagnostic partition allows diagnostics access by pressing when the small rectangle in the top right corner of the screen flashes during bootup (without the diskettes). - - - -------------------------------------------------------------------- John A. Beach * St. Petersburg, Florida, USA. GCM/CS d++(+) s+: C+++ US++++ P+ L+ E- W+(++) N++ K? w+(++) O !M V- PS+ PE++ Y+(++) PGP t+(++) 5+++ X++ R- tv b+ DI++ D+ G++ e++ h+ r y ------------------------------ Date: Mon, 20 May 1996 22:56:54 +0530 (IST) From: Priyanka Grover Subject: Print-Screen Boot Virus (PC) X-Digest: Volume 9 : Issue 76 My PC has got infected with Print Screen Boot virus. F-Prot detects it but is not able to remove it. I would like to have pointers to the solution for this virus. Thanks, Priyanka Grover Project Engineer Indian Institute of Technology, Bombay. ------------------------------ Date: Mon, 20 May 1996 17:32:16 +0000 (GMT) From: Joan Rodenbaugh Subject: TBAV false alarms in Acad13? (PC) X-Digest: Volume 9 : Issue 76 I've recently installed TBAV and all seemed well until I went to install my autocad disks. It found a lot of files that could possibly be viruses. I turned the heurisitc level down to low, but still got a few alarms. I don't think Autodesk sends out infected disks, but heh, you never know. I'm sitting here staring at my hubby's Acad disks and won't install the app until I get some answers. Anyone else scan their Acad13 with TBAV and get these type results? Regards, Joan joanr@worldnet.att.net ------------------------------ Date: Mon, 20 May 1996 17:27:54 +0000 (GMT) From: "Derek V. Giroulle" Subject: Re: NAV and F-PROT problems with NYB (PC) X-Digest: Volume 9 : Issue 76 CICSTAFF CICSTAFF wrote: >I have been getting my ass kicked by a group of viruses, here at my >center. I have the latest Norton, but it doesn't pick up anything. When >I use F-prot of a floppy, it tells me that the boot sector is infected >with the NYB virus, when it goes in to disinfect, it goes into a >loop....and finally just says "Virus can not be removed-Original MBR was >not found". AFAIK this might be due to multiple MBR infections however I would suspect that F-prot might deal with those correctly. You could chase however your original MBR on the disk and write it back to PSN_0 (0,0,1) that might do the trick for you >When I run Fdisk /MBR, and re-run F-prot the same thing happens. Just say no to Fdisk /MBR >F-prot also fails to didinfect the concept virus in Word 6, it reports it, >but it doesn't give u any options to clean or disinfect. Any suggestions. That is soemthing I would be able to help you with. Failing all else check out the S&S site www.sands.com or try my to find links to many other sites. Dirk.Giroulle@ping.be http://www.ping.be/~ping0010 Life is like a peepshow, through a little window you never get to see what you went in for (based on fvu's definition of panning) ------------------------------ Date: Mon, 20 May 1996 13:12:26 -0500 (CDT) From: Jarrod Henry Subject: Uneven Variant (PC) X-Digest: Volume 9 : Issue 76 I have run across something that f-prot 222 calls a "new or unknown variant of Uneven." I have a couple of ??'s Has anyone else noticed this, and is it a false positive? Jarrod Henry Arkansas School for Mathematics and Sciences jarrodh@asms3.k12.ar.us ------------------------------ Date: Mon, 20 May 1996 18:48:27 +0000 (GMT) From: stephen.l@ukonline.co.uk Subject: Bios virus? (PC) X-Digest: Volume 9 : Issue 76 Today I called in to a computer dealer/repairer to exlain my computer problem to him and see if he could help. Problem is-I have a Diamond Stealth graphics card PCI, when I boot up nothing appears on my screen and it go's into power down mode approx 8 seconds.I get 1 long and 2 short beeps indicating a video problem. I took out this board and inserted an ISA graphics board, booted from the floppy a drive presto I have a screen display "bios rom checksum error".I still have no c drive recognition.I've tried all the relevant key sequences to get access to the bios but have had no success. I suggested to the repairer that the checksum error may be due to the fact that the pci board video bios being removed may have caused this checksum error.To my suprise I was being told that there is a virus which over time continually attacks the bios eventually so corrupting it that it renders the system inoperable.I was then told a new board would be the solution at a cost of ukp140.Is this a virus problem. My bios is Award 4.50PG.Can anybody shed any light on this. Thanks for your time. STE. ------------------------------ Date: Mon, 20 May 1996 14:40:51 -0500 (CDT) From: Jason David Moerbe Subject: Monkey_B virus? (PC) X-Digest: Volume 9 : Issue 76 What does the Monkey_B virus do? Please keep in mind when you reply that I am new to computers and need the information in layman's terms. Also, where could I find a list of viruses and their effects. My McAfee program has a listing, but it's greek to me. Thanks E-Mail welcome Jason D. Moerbe Jmoerbe@tenet.edu [Moderator's note: I'd suggest the FAQ for this list/group for beginners (and others!). It doesn't directly answer your question about Monkey, but look up "boot sector infector" and "stealth virus" and you have the essentials.... The current version of the FAQ is at: ftp://cs.ucr.edu/pub/virus-l/vlfaq200.txt] ------------------------------ Date: Tue, 21 May 1996 11:43:43 +1000 From: "Brian J. Fillery" Subject: Re: Scanning Iomega Zip Drive (PC) X-Digest: Volume 9 : Issue 76 > Can an Iomega Zip Drive be Scanned? Yes. I have never had any problem scanning Zip Disks on the Zip Drive and it was the first thing I did on getting the drive setup - Scan the files for viruses. When I first saw this posted I immediately scanned three disks on my Zip Drive with both TBAV 701 and FProt 222. No problems. Dismissed it as an error or a lack of understanding on my part. On the second posting which said that FProt does not detect viruses on a Zip drive I put two virus infected files plus the EICAR file on a partly filled Zip Disk and scanned them with FProt. All three files were immediately detected. I go to the 'Scan' menu item, select 'Search' then the 'User Specified' area and enter F: for my Zip Drive letter. My Zip Drive is the Parallel one. Is the Zip in question a SCSI Drive? Is this the problem? I cannot see how it can be as presumably normal SCSI Hard Drives can be scanned by FProt. Regards, Brian. Brian J. Fillery, Brisbane, Australia. ------------------------------ Date: Mon, 20 May 1996 23:49:39 -0400 From: Matthew Schrank Subject: Smiley face virus? Dunno what it's called! (PC) X-Digest: Volume 9 : Issue 76 I have a friend that when he loads up his computer you see a small ascii smiley face (don't know ascii digit) at the top-right-hand corner of the screen. When you run any DOS program the smiley appears again and sometimes blinks, then the program locks up. What is this virus? He had a mediocre virus checker with probably old definitions. (PC-Illin) But I tried running NAV on it and it still didnt' find anything. The virus defs were up to date. May defs. P.S. I'd appreciate it if you could reply via email too. ------------------------------ Date: Tue, 21 May 1996 01:34:48 -0500 (EST) From: "Rob Slade, doting grandpa of Ryan & Trevor" Subject: RE: MS anti-virus updates. (PC) X-Digest: Volume 9 : Issue 76 >From a Victoria Freenet user: > Do you know if Microsoft actually is supporting their anti-virus Did you use "support" and "Microsoft" in the same sentence? :-) >software? I am referring to the the old central-point software group's >CPAV stuff. MS issued it with Dos 6.0 and windows 3.1 & 3.11. What I am Ah, yes, I remember it well :-) >trying to find out with no success so far is if they make an updated >signature file available on the internet or something. There is no >mention at microsoft.com nor at ms's free BBS in seattle. So I am >beginning to suspect that they are not interested. Am I right? Right on the money. Microsoft never announced any form of support for MSAV: in fact, Central Point was busy taking out ads informing people that if you wanted support and updates for MSAV you were going to have to buy (oh, yes, buy!) them from Central Point. We know that Microsoft got MSAV from Central Point. Central Point did not, itself, develop MSAV or the parent CPAV: they bought it from an outfit in Israel. The rumours around the CPU are that CP was glad to give MS the rights to the program for nothing, believing that they would make a killing on support and upgrades. The cynicism reached an all time high when it was found out that Microsoft, itself, does not use MSAV. (Microsoft has a world wide license for F-PROT.) You may, however, still be in luck. Central Point merged into Symantec. On one of the four Symantec ftp servers, you may still be able to find updates. ftp://ftp.symantec.com/pub/dos/cpav has some files that look like they may be signature updates or database files. > Thanks for taking the time to consider this. Not at all. However, I'd really appreciate it if you, in turn, would consider a more effective and reliable antiviral product. If Yisrael Radai did nothing else in virus research, he will long be remembered for his excellent evaluation of the faults of MSAV. ====================== roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca "If you do buy a computer, don't turn it on." - Richards' 2nd Law of Security Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) [Moderator's note: From the FAQ you will find a reference to Yisrael's paper at: ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/msaveval.zip and there are copies at many other AV sites and links on many Web pages.] ------------------------------ Date: Tue, 21 May 1996 10:19:56 +0300 (EET DST) From: "Mikko H. Hypponen" Subject: Re: Stealth_Boot_C - what does it do? (PC) X-Digest: Volume 9 : Issue 76 Jock Mackirdy wrote: > F-PROT Virstop TSR reported "Stealth_Boot_C detected". I was able to > use F-Prot to disinfect my floppy disk. > > I now want to disinfect the PC from which I "caught" the virus but I > need to know how long I can delay doing it. Don't delay it. Stealth_Boot has no direct destruction routines, but the virus continues to spread to practically all floppies used in the machine. > What does this virus actually *do* ? Here's a description from the virus description database at www.datafellows.com: NAME: Stealth_boot ALIAS: Nops, AMSE, PMBS, STELBOO, STEALTH_C, STEALTH_B TYPE: OS Boot, MBR Boot, Resident ORIGIN: USA Members of the Stealth_boot family are pretty normal boot sector viruses with stealth capability. However, several of the variants of this virus are quite common all over the world. Stealth_boot can infect a computer's hard disk only if the computer is booted from an infected diskette, in which case the virus infects the hard disk's Master Boot Record. The virus goes resident in memory the next time the computer is booted from the hard disk. Once in memory, Stealth_boot infects all non-write protected diskettes used in the computer. The stealth routines of the virus hide the infection, making infected boot sectors look clean as long as the virus is resident in memory. The virus code is visible after booting from a clean floppy. There are 13 different variants of this virus known (May 1996). The most common variants of this virus do nothing except spread. Stealth_boot.c is especially common all over the world. The Stealth_boot.KOH variants of this virus include an encryption system, which encrypts the hard drive with strong encryption if so wished by the user. These variants contain dangerous programming errors. The original source code of this virus has been published in a book, which explains the commoness of this virus. Copyright (c) Data Fellows Ltd's F-PROT Professional development & support - - Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com Computer virus information available via web: http://www.DataFellows.com/ Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599 ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 76] *****************************************