VIRUS-L Digest Friday, 31 May 1996 Volume 9 : Issue 85 Today's Topics: MIMEsweeper E-Mail Virus Protection Software Re: Macro Viruses (Concept etc.) Virus researcher(s) wanted, Oxford, UK Re: How good is Mcafee WebScan? VGrep 199606 released NAV Auto-Protect doesn't always load (WIN95) Reinstalling Norton Anti Virus (WIN95) Re: Tentacle! (WIN) AV Scanners and .doc file associations. (WIN) Re: System.Ini Virus? (WIN) RE: AST Problems (PC) Virus that removes CD ROM drivers?? (PC) Re: Bios virus? (PC) Re: Strange file z!z!z!z!.z!z (PC) Re: What's new in InVircible 6.11 (PC) Re: fp-223 bug? (PC) KBUG1720 Virus Help (PC) Re: Lotus Notes fools Wingaurd?? (was: ...scanner for Lotus NOTES) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 29 May 1996 20:34:07 +0000 (GMT) From: Jeff Zacuto Subject: MIMEsweeper E-Mail Virus Protection Software X-Digest: Volume 9 : Issue 85 The Ultrimate E-Mail virus protection software by Integralis, Inc. ** Internal or international, MIMEsweeper protects your network from virus infection - automatically and transparently. Available for Lotus cc: Mail, Internet Mail (SMTP), with Microsoft MSMail and Novell MHS versions avalable soon. MIMEsweeper takes a secure holistic approach, safely quarantining all suspect attachements. Physically excludes suspect E-Mail - MIMEsweeper ensures suspect attachements never reach your netwoek by setting up its own transparant mailbox under Microsoft Windows NT. Only fully checked messages are allowed through to your network. Connected to the Internet? - Any machine connected to the global virtual network is particularly vulnerable to viruses or undesirable file types delivered through MIME or other binary attachments. MIMEsweeper allows you to take advantage of the Internet, secure in the knowledge your PC's are safe from virus-borne interference. Your choice of virus protection - built in interface for leading virus scanning products. Architecture: MIMEsweeper utilities: * a dedicated area for reconstructing mail message attachemnts. scanning or behaviour checking is used according to your chosen virus protection technology. * a CD-ROM for wasy and safe distribution. Installed files are copied to a floppy disk, so rebuilding takes just a few minutes should the MIMEsweeper platform become infected. System Requirements: MIMEsweeper for cc:Mail Microsoft Windows NT 3.5/3.51 (Client or AS). cc:Mail Post Office Supporting VIM 2.0. CD-ROM drive, 50Mb free hard disk space. MIMEsweeper for SMTP Microsoft Windows NT 3.5/3.51 (Client or AS). MIMEsweeper for SMTP forwarding host, RFC 821,822,1521 supported. Forwarding mail based on DNS MX records. CD-ROM drive, 50Mb free hard disk space. MIMEsweeper for MSMail Microsoft Windows NT 3.5/3.51 (Client or AS). MAPI interface CD-ROM drive, 50Mb free hard disk space. MIMEsweeper for MHS Microsoft Windows NT 3.5/3.51 (Client or AS). MHS version 1.5 CD-ROM drive, 50Mb free hard disk space. Please E-Mail: lilolme@pacificnet.net for more information! ** Corporate Background: Overview: Integralis, Inc. was incorporated January 1, 1996 as a wholly owned US subsidiary of Integralis Ltd., a leading supplier of computer communications solutions in the UK. Founded in 1988, Integralis' systems integration specialists have been providing both Government and Corporate organizations with system solutions based on a combination of products, consulting, software, development and training. Integarlis now has offices in the UK, France, Germany, Beneux, Australia, and the US, with a workforce exceeding 100. Integralis Inc. will concentrate on the products internally developed by Integralis and will develop specific enhancements approriate to the US marketplace for them. Integralis sales, marketing and customer support are based in Kirkland, Washington. The company distinguished itself by providing the highest level of customer satisfaction with commuincation solutions. INtegralis products are sold directly and by a select reseller channel made up of VAR's and Systsm Integrators with email and Internet connectivity expertise. Custoemrs include KPMG, Fleet Services, NATO, Dayton Hudsom, Royal Bank of Canada and Transco Energy. Integralis is a Lotus Business Partner, Microsoft Solutions Provider, and attends various trade shows such as NetWorld InterOp and Email World. Please E-Mail: lilolme@pacificnet.net for more information! ------------------------------ Date: Wed, 29 May 1996 20:59:37 +0000 (GMT) From: MoonDogg Shredder Subject: Re: Macro Viruses (Concept etc.) X-Digest: Volume 9 : Issue 85 moroch@onramp.net wrote: >CLAYTON E RUTH wrote: > >> My primary problem with Word Macro viruses is getting them out of >> cc:Mail file attachments. I look forward to the day (hopefully soon?) >> when one of the many AV developers out there comes up with something >> that will intercept them and clean them up as they pass from cc:Mail to >> Word when the user double-clicks the attachment. I may be missing the point here, but I think what you are talking about is already possible. We use Notes, Word, and NAV. With NAV set to scan files upon opening, it will detect infected Word docs when attaching to or detaching/launching from Notes. ------------------------------ Date: Wed, 29 May 1996 16:54:35 +0000 (GMT) From: Jan Hruska Subject: Virus researcher(s) wanted, Oxford, UK X-Digest: Volume 9 : Issue 85 See uk.jobs.offered, cv to jh@sophos.com, www.sophos.com. ------------------------------ Date: Wed, 29 May 1996 21:53:41 +0000 (BUE) From: ruben@ralp.satlink.net Subject: Re: How good is Mcafee WebScan? X-Digest: Volume 9 : Issue 85 Wed, 22 May 1996 03:27:24 -0400 knhansen@erols.com wrote: >Eli Ross wrote: > >> Anyone have experience with Mcafee's WebScan's efficiency and >> installation. > >Eli - I bought McAfee Webscan because I have used their antivirus >product. It turns out (they don't say this on the box) that you cannot >use the program with 32-bit version of Netscape! I did not find this >out untill after I had installed it (version 1.0.1). Thought you (or >others) might want to know. -Karen Yes but they (McAfee people) have enough guts to say that Symantec (Norton) lies as they published in PC Magazine (vol 15 number 10, May 28 1996) !!!! Other incredible thing is "Best Virus protection" VSUM test virus (detection average). When somebody will test ALL the AV software in an unbiased way ???? (Exist a lot of people who post in this area that could perform this kind of test!) Regards Ruben Arias - ------------------------------------------------------------------------------ Ruben M. Arias _ _ _ | ) |_| | |_) | \ | | |_ | E-Mail: Ruben@RALP.Satlink.net Buenos Aires - ARGENTINA RALP - Computer Security - Virus - ------------------------------------------------------------------------------ ------------------------------ Date: Thu, 30 May 1996 15:38:43 +0000 (GMT) From: Ian Whalley Subject: VGrep 199606 released X-Digest: Volume 9 : Issue 85 I have just completed and released the latest version of VGrep, my virus name cross-referencing system. For more information and a copy of the system (or even just the opportunity to search it online), point your browser at , and follow the VGrep link. Comments welcome; Best, I. - - - ----------------------------------------------------------------------------- |---Ian Whalley, Editor, Virus Bulletin Magazine---|-Author of Project VGrep-| |-Direct/Office/Fax: +44-1235-544039/555139/531889-|-virus name xref system--| |-Key CRC: 2A02 96E5 5D77 4C8D EB22 146F E03B A0D3-|-Get it from the web at:-| |-Unix/NT/W95/Win32/C/x86/Sed/Awk/Perl/Sh/Html/VBA-|http://www.virusbtn.com/ | - ----------------------------------------------------------------------------- [Moderator's note: Not wanting to bias your opinions, but I find VGrep a very useful tool as I have to deal with calls from people who use different scanners...] ------------------------------ Date: Thu, 30 May 1996 23:57:11 +0000 (GMT) From: George Subject: NAV Auto-Protect doesn't always load (WIN95) X-Digest: Volume 9 : Issue 85 I am running NAV for Win95 and have all of the latest signature files including this month (May). For the last 2 months, every now and then, the NAV Auto-Protect Icon will not load in the window with the clock on the taskbar when I boot up. When that happens I re-boot, then the Icon loads into the window where it belongs. It seems to have started doing this since I loaded the April signatures, but I can't be positive. Today I had to re-boot twice for the Icon to show up in that window with the clock. Anyone else have this problem...... please help George ------------------------------ Date: Thu, 30 May 1996 21:04:25 -0400 From: frisk455 Subject: Reinstalling Norton Anti Virus (WIN95) X-Digest: Volume 9 : Issue 85 I have been trying to reinstall Norton anti virus for windows 95. I keep getting the following message - "This program performed an illegal operation and will shut down". It is causing a fault. Any help would be appreciated. thank you. ------------------------------ Date: Wed, 29 May 1996 21:37:24 +0000 (GMT) From: Juha Paulavuo Subject: Re: Tentacle! (WIN) X-Digest: Volume 9 : Issue 85 On 23 May 1996 12:23:10 -0000, Mark Pakula wrote: > ive just found that i have the Tentacle virus.. > >Any help would be greatly appriciated >as no im thinking of resorting to.. >format c: You could take contact to DataFellows in e-mail : F-PROT@DataFellows.com or take a look at their www-page in : http://www.DataFellows.com, they have quite comprenhsive datababk about viruses. - - Juha Paulavuo Teacher in computer technology Homepage: http://www.sci.fi/~kassu1/ Maintainer of : http://www.eurohit.sci.fi ------------------------------ Date: Thu, 30 May 1996 16:10:58 +0000 (GMT) From: Andrew Lord Subject: AV Scanners and .doc file associations. (WIN) X-Digest: Volume 9 : Issue 85 Do any of the respected AV programs become invoked whenever you click on a .doc file - scan the file and then pass control over to MSWord? This should enable auto-scanning of attachments in CCMail and the like. Andy L. ------------------------------ Date: Fri, 31 May 1996 04:28:30 +0000 (GMT) From: Dan Duce Subject: Re: System.Ini Virus? (WIN) X-Digest: Volume 9 : Issue 85 "James R. Mac Donald" wrote: >Has anyone heard and/or experienced a virus that would "edit" the Windows >System.Ini file. It seems that 4 users this morning in my firm have >reported System.Ini files that have been decimated; leaving only two >non-functioning lines within. It apparently deletes the [386 Enhanced] >section among others. > >If you have heard of this and / or have a "cure", please let me know. I believe that I recently read that some of the Word Macro viruses add lines to the Windows ini files. It wouldn't be too terribly difficult to edit a text based file using a macro type virus. ------------------------------ Date: Wed, 29 May 1996 18:16:11 -0400 From: Kevin Davidson Subject: RE: AST Problems (PC) X-Digest: Volume 9 : Issue 85 On Wed, 24 Apr 1996 15:35:45 -0500 DENT wrote: > First off, I own an AST Advantage! Adventure 4066d. So do I! Only mine is a 486/33. >I'm not sure what's going on, but every so often, my system sounds >like it "whirs" down to a halt (in a descending tone), the screen >locks for a second or two, then it "whirs" back up (ascending >tone) and continues whever it left off. There doesn't seem to be >any pattern when it does this, except for...ALL THE TIME! I'm >not sure if I have a power problem, a hard drive problem, or a >virus. What you are hearing is normal. If you look in you CMOS settings, you will find a time out for the power saving options. I have mine set for 10 minutes, so that my disk drive will spin down if there is no disk activity in that amount of time. Then it will spin back up when a read or write to the disk is needed. > I do a scandisk once in awhile, which usually comes up >with errors to be corrected. Welcome to the wonderful world of windows file manager. > Secondly, I bought my system used, but it didn't start doing >this until I had it for sometime. The point being, I've got on probably didn't expire the inactivity time until now. >AST's tech support page, but to email a tech question, I need to >have the model # that's supposed to be on the back of my system. >I'm not sure whether it was on a sticker that fell off, or if I'm >just not looking in the right place. Don't worry, they won't answer anyway. YOU DON'T HAVE A VIRUS PROBLEM (or any other problem for that matter)!!!! Good luck, Kevin Davidson EER Systems Inc. ------------------------------ Date: Wed, 29 May 1996 21:22:29 -0500 From: Scott Retzlaff Subject: Virus that removes CD ROM drivers?? (PC) X-Digest: Volume 9 : Issue 85 Is there a virus that will remove the CD ROM line from the autoexec.bat file making your system unable to recognize that drive? Thanks, Scott Retzlaff ------------------------------ Date: Thu, 30 May 1996 06:35:34 -0400 From: DarStec Subject: Re: Bios virus? (PC) X-Digest: Volume 9 : Issue 85 In article <0036.01I51JAH6G9ESKZV5A@csc.canterbury.ac.nz>, jonvwill@iastate.edu writes: >stephen.l@ukonline.co.uk wrote: > >> Today I called in to a computer dealer/repairer to exlain my computer >> problem to him and see if he could help. >> >> Problem is-I have a Diamond Stealth graphics card PCI, when I boot up >> nothing appears on my screen and it go's into power down mode approx >> 8 seconds.I get 1 long and 2 short beeps indicating a video problem. >> I took out this board and inserted an ISA graphics board, booted from >> the floppy a drive presto I have a screen display "bios rom checksum >> error".I still have no c drive recognition.I've tried all the relevant >[rest deleted] > >Perhaps a dead bios battery is a more likely candidate? I've seen the same symptoms occur when a computer gets a jolt of static electricity when touched by a user on a dry day if the computer has not been grounded properly or the electrical circuit has a failing or faulty ground system. _If_ that is the case, you may have to remove the battery and let the motherboard capacitors discharge for a few days. I've also used the technique of wrapping the motherboard on the solder side with aluminum foil for 24 hrs, AFTER REMOVING the battery. [NOTE: some technicians consider this to be a dangerous proceedure, however I personally have never had any mishaps with this method.] But first make sure that the battery is in good condition before you go through the process I just described, as a dead battery would also be my first assumption. It is also possible that a component on the motherboard became damaged when the new video board was put in. Later, DarStec ------------------------------ Date: Thu, 30 May 1996 15:29:46 +0000 (GMT) From: "A.Appleyard" Subject: Re: Strange file z!z!z!z!.z!z (PC) X-Digest: Volume 9 : Issue 85 Re the strange unerasable file z!z!z!z!.z!z : have you tried calling SCANDISK or Norton Disk Doctor on the drive that that file is on? ------------------------------ Date: Thu, 30 May 1996 05:23:11 +0000 (GMT) From: George Wenzel Subject: Re: What's new in InVircible 6.11 (PC) X-Digest: Volume 9 : Issue 85 In article <0013.01I5C1SCTTA6UB9WRC@csc.canterbury.ac.nz>, Vesselin Bontchev wrote: As Vesselin preceded his post stating that he worked for a competing product and was not independent, I will precede this post by saying I AM an independent academic, and I have no official ties to any anti-virus producer. >IVX REPORT, Dated May 27 1996 > > >7 suspect file(s) found. >127 files were processed. > >Wow! 7 "suspect" [sic] files! I must be infected! Time to format my hard >disk! Except that this is not the case. *NONE* of the above files is >infected. SCANPROT.DOT is, ironically as it sounds, Microsoft's own >anti-macro virus tool. WEBVIEW.DOT and HTML.DOT are either from >Microsoft's Internet Assitent or from Quarterdeck's similar WinWord >utility for preparation of HTML documents. SPELL6.DOC, ADBKLIT6.DOC and >FILENEW.DOC are from Woody Leonhard's WOPR 6.0 set of utilities for >WinWord. VIEW25.DOC is some macro which makes it easier to edit two >documents side-by-side in two different windows. I have confirmed these results using 7 of the macro protection tools on the net. IVX **DOES** false alarm on these files, regardless of what its author says. >If anybody has problems obtaining these documents or doubts my words >that they were reported as above - I can post them here (they are not >malicious), if the moderator permits me to. So, what is common between >all these documents? Right - they all contain auto macros. The documents I used in my study of IVX are available from me as well. >Funnily enough, if you use AutoClose, instead of AutoOpen as the macro >name, IVX won't report anything - regardless that there are viruses >(e.g., DMV) which rely in this auto macro. And, not terribly >surprisingly, IVX fails to detect the DMV virus - the very first WinWord >macro virus. I have confirmed this as well. IVX does NOT detect a confirmed, replicating, sample of DMV. Therefore, it does not live up to its author's claim that it detects all present and future macro malware. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' HTTP://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Thu, 30 May 1996 13:20:02 -0700 From: CrACKeD Subject: Re: fp-223 bug? (PC) X-Digest: Volume 9 : Issue 85 Ubaldo J. SA LOPES wrote: : Downloaded f-prot version 2.23 from Garbo site and then report: : : "Error opening temporary file F2___TMP.TMP" : : when scan with Method: Heuristic. : : Is this a Bug? I just had the same problem earlier today, but before I got that error F-Prot told me that it couldn't open a few hundred files. Later I exited F-Prot and I could open them just fine. My best guess is that F-Prot ran out of memory or something and just freaked out, as I tried again with a Secure scan instead of a Heuristic scan and everything worked fine. ------------------------------ Date: Thu, 30 May 1996 13:30:05 -0700 From: CrACKeD Subject: KBUG1720 Virus Help (PC) X-Digest: Volume 9 : Issue 85 I think I have aquired this nast virus from a friend. I have run all my virus scanners (MSAV, F-prot, McAfee's SCAN, TBAV, NAV) in an attempt to find something and I had no luck. First, let me explain the symptoms my friend was having. None of his virus scanners would find it either. He was experiencing lots of bad sectors on his hard drive, corrupted files, and just about anything else you could imagine along those lines. He took his computer into the shop, at which point he was informed that his machine was infected with the KBUG1720 virus. The techs told him that his hard drive would have to be formatted to get rid of the virus, and that was done. Later he brought his floppoes over to my place to get the virus cleaned. My scanners could not find anything, and I could only tell him that the disks were not infected. So, here I am experiencing the same problems. I've had scandisk working on repairing my file system for the past 20 hours (no joke) and I've lost close to 50 MB of files already. Of course none of my virus scanners can find anything. I also have a few files which were created at some point with names composed of a bunch of extended ASCII characters. These files cannot be removed, as DOS doesn't even think they are there when I try to remove them. Attrib will not even ackknowledge their existence. DOS will simply not tell me they exist, yet when I type 'dir' they are there. Scandisk will not fix this, and chkdsk won't fix this. Does anybody have any idea if DriveSpace just took a dump on me, or do I have some sort of stealth virus using polymorphic encryption on my hands here? ------------------------------ Date: Thu, 30 May 1996 21:25:04 +0000 (GMT) From: Graham.Cluley@uk.drsolomon.com Subject: Re: Lotus Notes fools Wingaurd?? (was: ...scanner for Lotus NOTES) (PC) X-Digest: Volume 9 : Issue 85 Anders Storm writes: > I have tested Dr Solomon's for Win '95 version 7.54, it dos > not detect then I detach a file (with concept virus) Version 7.54 is a little old - the current shipping version is 7.60 (your version is some six months out of date). Does the latest shipping version also experience this problem? Does it also have the problem if you turn on "Check all files"? > from > Lotus Notes to my HD or to a Floppy disk (Yes, the "Scan on > writes (Winguard)" option is on). But Wingaurd detects a > Launch of the same file. Yep, it would definitely intercept any access to a Concept-infected document. Of course it would also prevent anyone from attaching an infected document to Lotus Notes in the first place. Of course, it's pretty impressive that we were able to *intercept* Concept infections some six or more months ago when other products have only just recently added detection. I'm on the road at the moment for Comdex Spring in Chicago - it may be worth contacting our guys in Sweden at the contact address below and ask them to investigate more indepth: QA Informatik AB P.o. Box 596 S-175 26 Jrflla Sweden Tel: +46 8/580 100 02 Fax: +46 8/580 100 05 Regards Graham - -- Graham Cluley, Senior Technology Consultant, gcluley@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. "Tech support on the road!" UK: +44 1296 318700, USA: 617 273 7400 WorldWide Web : http://www.drsolomon.com ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 85] *****************************************