VIRUS-L Digest Saturday, 1 Jun 1996 Volume 9 : Issue 86 Today's Topics: Re: Word Macro Virus cleaner wanted Announce : New Security Products Re: Macro Viruses (Concept etc.) ===== Help With Virus History ===== The Scanner Macro Viruses - Clear and Present Danger. (MAC,WIN) Re: Reinstalling Norton Anti Virus (WIN95) Re: Tentacle (WIN) Re: AV Scanners and .doc file associations. (WIN) Re: AV Scanners and .doc file associations. (WIN) Re: Lotus Notes fools Wingaurd?? (was: ...scanner for Lotus Notes ?? (PC?) Re: Form (PC) RE f-prot 2.23 Bug (PC) Re: 850MB HD now 333MB--virus? (PC) Re: KBUG1720 Virus Help (PC) Re: McAfee can't clean STONED.NOINT? (PC) Re: Virus that removes CD ROM drivers?? (PC) F-prot 2.23 bug? (PC) Re: Virus that removes CD ROM drivers?? (PC) NEW Virus??? (PC) Re: Satan Bug and MuEngine Virus (PC) Burglar virus questions (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Fri, 31 May 1996 21:56:08 +1000 From: Grahame Grieve Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 86 Johnathon Williams wrote, >I agree that Word's macro functions are a powerful addition to the >software. However, in my experience (my position affords me a chance to >see many MS Word users), few people make any, much less extensive, use of >Word's macro capabilities. Despite the fact that the macro function is >largely a luxury for more advanced users, and despite the fact that the >potential of macroviruses has been discussed for years, Microsoft provides >no way to disable this function in Word, and I feel it is remiss in this. > >There is absolutely no reason why the macro function should not have an >"off" switch, but what I am proposing goes a step further: it could >selectively allow certain macros through both by name and contents (again, >specifiable in some sort of an exclusion list)--a straightforward, strong >first line of defense against macroviruses, while allowing macros of your >choosing to execute normally. > >If I wanted a blanket macro detector (which would certainly be good in >many circumstances) I would simply download Scanprot from Microsoft and >only open documents from within Word. I'm asking for something better. > >I'd be interested in some feedback from programmers regarding the >potential application of this idea. Well, I'm a programmer. I use word, and I write in word basic, and also wll's. I rely heavily on automacro's to hook calls that close my documents and then I do the things that I want to do when my docs are saved, closed and opened. Unfortunately these are the same macro's you are talking about. In addition to majorly screwing up my applications, disabling automacro's also shuts the wizards off. The kind of approach you are describing would cause me considerable trouble when I was distributing my apps, trying to explain to users why I thought they should disable their virus protection. However as long as people use these generic solutions I'll have the problem. Why aren't people asking for the same generic solutions to viruses that infect executables? This is the reason that the major av vendors are concentrating on specific detection. (I have yet to try my apps with F/Win, but I will, Stefan) Grahame ------------------------------ Date: Fri, 31 May 1996 15:31:23 +0100 From: Mark Mottershead Subject: Announce : New Security Products X-Digest: Volume 9 : Issue 86 Press Release FORTRESS Product Range Total PC Protection From One Company 17th May 1996. For Immediate Release: Contact: Kate Holland M.I.S. Europe Limited (44)-(0)1622-817808 Wateringbury Kent - M.I.S. Europe Limited today announces the release of its Windows versions of computer security products. With the ever increasing computer crime rate MIS understands the importance of easy and manageable software. You cannot open a paper or listen to the radio without someone telling you about the Internet or the latest Virus attack. MIS are experts in the field of security and therefore can offer clients a unique friendly welcome, with an excellent after sales service. MIS also operates a 24 hour 7 days per week "Systems Care Line" which anyone can call at anytime to ask for assistance. M.I.S. Europe Limited is pleased to present the new FORTRESSTM family of products designed for enhanced security and anti-virus protection for PC's in any environment:- IRONWALL For data protection and encryption, user access and directory/file management. Standalone or Networked. IRONBRIDGE For secure, encrypted data upload/download via modem, including total Internet protection. Can also be used as a standard communications program. A later version will include FTP and TELNET. IRONGUARD+ Hardware/Software combination for total user security and Anti-Virus protection. .NO SYSTEM has EVER been infected by a Virus that has IronGuard+ installed. IRONGUARD Anti-Virus and Monitoring software. A developers kit is also available which consists of the Hardware Card and Firmware, allowing organisations to develop add-on software to their own specification. MIS also offers development services, Please call for further details. This new product generation is designed to be interchangeable, and will operate with IBM-compatible PCs, UNIX Workstations, whether stand-alone or networked, on a plug-and-play basis in DOS, Windows, NT and WIN95. Alongside this range we also provide clients with physical security devices and theft prevention systems. The FORTRESS( range offers considerable advantages to both distributors and end-users:- * Superior Product Design. * Latest Encryption DES/RSA Technology and PGP Compatible. * Enhanced Security Technology for Better Data Protection. * Internet Security as Standard. * Takes Care of the newest Macro Type Viruses. * Requires NO Software Updates. * Increased Flexibility. * Total Interchangeability. * Easier, Faster Availability. * More features to address a Wider Market. * 24-hour Helpline from MIS. * A World-Wide Market place including the US and Canada. CONTACT INFORMATION M.I.S. Europe Limited is a subsidiary of the M.I.S. Group of companies, who provide a wide range of IT services. Other subsidiaries in the group are MIS Consultants and MIS Developments. Further details can be obtained from Mr Mark Mottershead. The Group Director on 01622-817808. Your readers should be directed to phone our SALES NUMBER for further information this number is 0800-243649, if you are calling from outside the UK please dial 44-1622-814627. We also offer full colour photographic documentation of the FORTRESS Range, and evaluation examples of our programs for review purposes. "Don't just believe us, please try it" Our E-MAIL address is: misuk@mis europe.co.uk Our web page can be found at: http://www.almac.co.uk/business_park/mis/index.html Mark Mottershead M.I.S. Europe Limited Security House Red Hill Wateringbury KENT ME18 5NN England Tel : (44)-(0)1622-817808 Fax : (44)-(0)1622-817857 24 Hour Support Line (44)-(0)1622-813111 e-mail : mark@miseurope.co.uk ------------------------------ Date: Fri, 31 May 1996 20:44:40 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Macro Viruses (Concept etc.) X-Digest: Volume 9 : Issue 86 MoonDogg Shredder writes: >moroch@onramp.net wrote: >>CLAYTON E RUTH wrote: >>> My primary problem with Word Macro viruses is getting them out of >>> cc:Mail file attachments. I look forward to the day (hopefully soon?) >>> when one of the many AV developers out there comes up with something >>> that will intercept them and clean them up as they pass from cc:Mail to >>> Word when the user double-clicks the attachment. > >I may be missing the point here, but I think what you are talking >about is already possible. We use Notes, Word, and NAV. With NAV set >to scan files upon opening, it will detect infected Word docs when >attaching to or detaching/launching from Notes. That's the theory. But now try it out. Unless they're doing something I don't know about, I'll bet it doesn't work as you think it does. And it would be a simple change, to include more extensions to check (checking DO? doesn't do it). But by including such a change, you open yourself to start looking at lots of other types of files. A new version of WebScan is to be CCmail aware and won't even wait around for you to double click. Jimmy cjkuo@mcafee.com ------------------------------ Date: Fri, 31 May 1996 23:17:59 +0000 (GMT) From: erleg@sdinter.net Subject: ===== Help With Virus History ===== X-Digest: Volume 9 : Issue 86 I once read about two rogue programs that ran simultaneously in order to protect each other. When one of the programs was removed from memory, the remaining one would restore the first on again. This would ensure that each one survived. The two programs had cute names like Frick & Frack, Hansle & Grettle, or something to that effect. If anyone remembers this virus history, could you please point me toward where I could find it again? Thanks in advance! - Erle ------------------------------ Date: Fri, 31 May 1996 19:19:04 -0400 From: HRRWood Subject: The Scanner X-Digest: Volume 9 : Issue 86 For those of you that have read "The Scanner" in the past, it is now back in business. I am writing the return issue now. If you have any questions or info send it to: SCNR@aol.com or Woody@diversicomm.com Woody ------------------------------ Date: Fri, 31 May 1996 11:40:41 +0000 (GMT) From: Andrew Lord Subject: Macro Viruses - Clear and Present Danger. (MAC,WIN) X-Digest: Volume 9 : Issue 86 At our site some of us use MS Word 2.0 , some MS Word 6.0 and other both. We recently upgraded our MS Word 6 to ( suppossedly ) protect against Macro viruses This was a patch from Micro$oft. My questions are twofold 1) Given that Micro$oft don't really know much about virii (is that how you spell it?) is the patch adequate protection, or does it just deal with the Concept Macro??? Is there a real threat from macros that are not dealt with by this patch? 2) Is there a real threat in leaving users with MS Word 2 unprotected? Andy L. ------------------------------ Date: Fri, 31 May 1996 22:56:49 +0000 (GMT) From: Michael Messuri Subject: Re: Reinstalling Norton Anti Virus (WIN95) X-Digest: Volume 9 : Issue 86 In article <0007.01I5D3OQS12QUBASOQ@csc.canterbury.ac.nz>, frisk455@ix.netcom.com says... >I have been trying to reinstall Norton anti virus for windows 95. I keep >getting the following message - "This program performed an illegal >operation and will shut down". It is causing a fault. Any help would be >appreciated. thank you. First, I recommend copying the install disks to a temporary folder on your hard drive and running SETUP.EXE from there. This will eliminate any potential problems with the disks themselves. If for some reason, they do not copy, then we'll need to replace them. If this has no effect, we'll want to have your system booted as clean as possible before we run the install. To do so, rename your CONFIG.SYS, AUTOEXEC.BAT, and your WIN.INI files and reboot. Win95 doesn't require these files and eliminating them will eliminate any possible conflicts. (Renaming the startup files back to their original names will put you back where you started.) I also suggest changing your video to VGA and closing out of any applications that may be running in the background. Try running SETUP.EXE again with this minimal configuration. If I can be of any more assistance, please let me know. - - ========================================================================== Michael Messuri Symantec Corporation Virus Specialist http://www.symantec.com/avcenter AntiVirus Research Center CIS: GO SYMWIN mmessuri@symantec.com GO SYMNEW US Support: 541-465-8420 AOL: SYMANTEC European Support: 31-71-353-111 Australian Support: 61-2-879-6577 ========================================================================== ------------------------------ Date: Fri, 31 May 1996 13:46:08 +0100 (BST) From: Jason McClean Subject: Re: Tentacle (WIN) X-Digest: Volume 9 : Issue 86 On 23 May 1996 12:23:10 -0000, Mark Pakula wrote: > ive just found that i have the Tentacle virus.. > >Any help would be greatly appriciated >as no im thinking of resorting to.. >format c: I also had the tentacle virus on my machine. Using the evaluation copy of Findviru (from Dr Solomon), with the extra file for tentacle, all infected files were identified and renamed. eg. netscape.exe became netscape.vxe all infected files were then deleted (manually), and restored from backups. Although, if you haven't got backups or original installation disks, you are in a bit of a pickle (as you would be with most virus infections I expect!) Jason McClean. ------------------------------ Date: Fri, 31 May 1996 03:37:06 +0000 (GMT) From: George Wenzel Subject: Re: AV Scanners and .doc file associations. (WIN) X-Digest: Volume 9 : Issue 86 In article <0009.01I5D3OQS12QUBASOQ@csc.canterbury.ac.nz>, Andrew Lord wrote: >Do any of the respected AV programs become invoked whenever you click >on a .doc file - scan the file and then pass control over to MSWord? Any on-access scanner (a Win95 or Win3.1 VxD/TSR) should be able to do this, providing it has the capability to scan for macro viruses. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' HTTP://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Fri, 31 May 1996 20:49:05 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: AV Scanners and .doc file associations. (WIN) X-Digest: Volume 9 : Issue 86 Andrew Lord writes: >Do any of the respected AV programs become invoked whenever you click >on a .doc file - scan the file and then pass control over to MSWord? > >This should enable auto-scanning of attachments in CCMail and the >like. No, that's not how it works. CCmail stores files as .TMP files and sends them directly to Word. Want to associate the .TMP extension to Word? Jimmy cjkuo@mcafee.com ------------------------------ Date: Fri, 31 May 1996 11:16:04 +0200 From: Mikael Albrecht Subject: Re: Lotus Notes fools Wingaurd?? (was: ...scanner for Lotus Notes ?? (PC?) X-Digest: Volume 9 : Issue 86 Anders Storm wrote: > I have tested Dr Solomon's for Win '95 version 7.54, it dos not detect > then I detach a file (with concept virus) from Lotus Notes to my HD or to > a Floppy disk (Yes, the "Scan on writes (Winguard)" option is on). But > Wingaurd detects a Launch of the same file. > > Is it Lotus Notes that fools Wingaurd???? I run some tests and noticed that this may be true in some cases (at least under Win95). Select the "Scan all files" option to fix the problem. Mike - - Mikael Albrecht http://www.lanvision.fi/mikke/contents.htm LAN Vision Oy - Dr. Solomon's Anti-Virus, Utimaco security Welcome to visit us at: http://www.lanvision.fi/ Utilities for AV & security: ftp://ftp.lanvision.fi/ ------------------------------ Date: Fri, 31 May 1996 08:53:37 -0400 From: Bill lambdin Subject: Re: Form (PC) X-Digest: Volume 9 : Issue 86 S. Widlake" writes > Sorry, not true. It is not always safe to SYS a hard drive. It depends > on the validity of the partition table and the current contents of the > boot sector. The possibility of these being invalid to such an extent > that SYS will result in drive corruption, eg. overwritten FAT's, may be > rare but SYS does not do anything to the MBR (partition sector), and I clearly identified this should only be used on Form, and Boot.437 viruses Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 31 May 1996 16:15:31 +0000 (GMT) From: Christiane + Mario Laboch Subject: RE f-prot 2.23 Bug (PC) X-Digest: Volume 9 : Issue 86 "Ubaldo J. SA LOPES" wrote: >>Downloaded f-prot version 2.23 from Garbo site and then report: >> >>"Error opening temporary file F2___TMP.TMP" >> >>when scan with Method: Heuristic. >> >>Is this a Bug? This occurs when trying to use F-prot 2.23 with only 640 KB base memory (for example after booting from a clean disk). It seems that f-prot runs out of memory. Mario ___________________ Mario Laboch Laboch@t-online.de ------------------------------ Date: Fri, 31 May 1996 16:53:38 +0000 (GMT) From: Ken Stieers Subject: Re: 850MB HD now 333MB--virus? (PC) X-Digest: Volume 9 : Issue 86 In article <0016.01I5C1SCTTA6UB9WRC@csc.canterbury.ac.nz>, s.widlake@rl.ac.uk says... >Now this isn't too much of a problem around here as using this kind of >a software cludge isn't supported but there are plenty of other people >that may need to know this info... I assume you have all new hardware that will support large IDE drives. Considering that there are millions of machines out there that don't, there has to be a solution other than buying a new motherboard. DiskManager is that solution. >>>Hold on there just a moment... this implies that if Disk Mangler gets >>>whacked by a virus, you can kiss good-bye to all your data ?!? Surely >>>there must be a better way of restoring everything back to normal... >> >>If it is Ontrack Diskmanger you use, you can rebuild your partition >>table by using DM /M (manual mode) without reformatting. Make it a >>"read/write partition" (- not a DOS partition) if it was before! If >>you boot from a floppy that loads the Ontrack driver "dmdrvr.bin" in >>the config.sys of the floppy you should be able to acces the data on >>your harddrive. > >Well after an MBR virus has wiped out 0-0-1 (C-H-S) you probably will >not know which of these cludges was being used it's just that simply >removing the virus won't help as other damage has been done. This depends on which version of DM you have and what the virus does, but for most MBR viruses either the drive will boot fine, or you will get some type of DDO error. >Assuming that it *is* DM... > >A question about this "dmdrvr.bin" - This file is unique(?) to each PC >that DM has been installed on, right ? So what if you don't have a copy >of this file on floppy ? No, DMDRVR.BIN is not unique to the PC. >Can DM /M still access the hard drive's files >and/or restore DM's functionality so that everthing is back to normal, >without it ? Yes it can. >>It is a wise idea to prepare a boot floppy with "dmdrvr.bin" before an >>accident happens, certainly if you do not have more than 1 computer. >>You can test it very easily: If after booting from the flop you can >>acces all the data on your HD, the flop is OK. It is also I wise idea >>to keep a printsceen of your partitions (DM), since recovery is only >>possible if you reconstruct your partition table excactly the way it >>was before the accident. If you have the full drive in 1 partition >>this is less a problem since that situation is easier to remember :-). > >I agree that that is a wise idea but unfortunately general users don't >see it that way and end up in the above mess before any preventative >measures are even thought about. Fixing a damaged partition table is a >pretty easy job for Me, it's getting the DM stuff back up and running >- without wiping out the boot sector, FAT's and root ! - that causes >the headaches. What version of DM do you have any experience with? Version 7.x (currently shipping with most drives execept Western Digital) has options in the Maintanance menu for replaceing everthing DM needs to run. The MBR, the DDO, the boot sector, without touching FATs, Dirs or data. Version 6 is a little more complicated, but tech support can walk you through it, or you can request the instructions to be mailed to you. >[ I've got around this before now, but it was very messy and risky. ] > >I think we're getting there and if anyone has got the "real answers", >I'd really like to see those here. > >S. > >PS. Yes I saw the posting from the Ontrack (?) guy and did not think >much of that reply. What didn't you like about it? That it gave the safest answer possible? Your answer of diving in and editing the partition table is risky. You yourself claim that you don't feel comfortable with it, but you recommend it to someone who doesn't have your experience. You expect them to be comfortable with it?? >Actually I don't think much of the company - You >may remember that they are also in the data recovery game and putting >out software of this type is a bit like selling faulty cars and then >charging even more $$$$ to fix them. This slander is blatantly untrue. If you have a DM drive that's hit by a virus, you can call our tech support and they will get the drive back up and running for you for FREE!!!!!! - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prairie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Fri, 31 May 1996 20:51:27 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: KBUG1720 Virus Help (PC) X-Digest: Volume 9 : Issue 86 CrACKeD writes: [Lots of problems with the disk clipped.] The KBUG1720 problem is from an old version of Scan. Please update your copy from www.mcafee.com or ftp.mcafee.com Jimmy cjkuo@mcafee.com ------------------------------ Date: Fri, 31 May 1996 16:52:52 -0400 From: HRRWood Subject: Re: McAfee can't clean STONED.NOINT? (PC) X-Digest: Volume 9 : Issue 86 F-Port will easdily remove this virus. I recently cleaned a whole Universtiy lab infected with this virus. Use a "clean" boot disk with F-Port on it and it will rid you of this problem. Woody ------------------------------ Date: Fri, 31 May 1996 20:53:58 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Virus that removes CD ROM drivers?? (PC) X-Digest: Volume 9 : Issue 86 Scott Retzlaff writes: >Is there a virus that will remove the CD ROM line from the autoexec.bat >file making your system unable to recognize that drive? No, but most old boot viruses on Win95 systems make the Win95 system stop using 32-bit access, which is required by the CD ROM driver, thus giving you the same effect. Thus, I would guess that you do have a boot virus. Jimmy cjkuo@mcafee.com ------------------------------ Date: Fri, 31 May 1996 17:26:18 -0400 From: Jacob Poon Subject: F-prot 2.23 bug? (PC) X-Digest: Volume 9 : Issue 86 When f-prot scans more than 20-30 files, it says file 'C:\xxxx\xxxx.exe: file already open' and subsequent files are skipped and generate the same message. This did not happened on 2.22. BTW I am using the following: DOS 6.22 Files=40 in CONFIG.SYS (only several are used) F-prot scanning options: Using Heuristics scan. Can anyone help? ------------------------------ Date: Fri, 31 May 1996 18:36:27 -0400 From: HRRWood Subject: Re: Virus that removes CD ROM drivers?? (PC) X-Digest: Volume 9 : Issue 86 If you are running a 16 bit processor, ANTIEXE is notorious for droping the drivers. I had an experiance with a customer that thad the bug and it did in fact diable the drivers. Disabled is probably not the correct wording but regardless, the drivers were disabled. You need to do clean boot and use an "GOOD" AV product. I used F-Prot and it handled the probled easily. Woody ------------------------------ Date: Fri, 31 May 1996 18:55:22 -0400 From: invest@myna.com Subject: NEW Virus??? (PC) X-Digest: Volume 9 : Issue 86 I don't know that happed but here's the history... First I started having problems with Lotus Organizer 2.0, A bout two weeks ago it crashed and I had to re-install it. Then this pas Wednesday, I reboot my machine (to recover 'lost' memory that 3.1 seems to loose when I ru, exit, run, exit programs through out the day. So when I reboot, I go back in to Windows try to load WP6.0 I get a "general protection error", I try to run ANYTHING and get similar errors. So I get WS_FTP running (for what ever reason it was working) goto McAfee an down load the anti virus prog. It does not find anything. There is however one message that does come up. Something along the line of "sector boot partion" but the stupid mesage go by soooo fast that I can't read it (Hey McAfee tech guys/gals FIX THIS!!!) Anyways I goto in to dos (that was easy because the progman.exe crashed), try to run MSAV - the machine reboots its self!! I do this three other times and the result is the same, the machine reboots!! For what ever reason scandisk is working and now comes the interesteing part. Almost all files on my "C" drive has the same error "the reported file size is smaller than the actual size, scandisk will fix the problem". Go hey great my problem is solved. So I get a small brick to rest on the return key [because after an hour I got tired of hitting the "fix-it" key over and over and over again and again. After a while it finishes. When I went to view the log, the screen turned green and froze. I re-boot and try to run anything but I get an "Error in exe program" I N E E D H E L P ! ! ! ! Please post to this group!!! Signed - Screwed in Streetsville! ------------------------------ Date: Fri, 31 May 1996 18:55:39 -0400 From: HRRWood Subject: Re: Satan Bug and MuEngine Virus (PC) X-Digest: Volume 9 : Issue 86 F-Prot will remove both of these problems. The MTe is a mutation engine used by viruses to mutate and not a virus. Satan bug can be handled by F-Prot and others as well. I prefer F-Prot and IM myself and use others in my research for "The Scanner" for a secure system. Woody ------------------------------ Date: Sat, 01 Jun 1996 00:13:19 +0000 (GMT) From: Dan Renfrow Subject: Burglar virus questions (PC) X-Digest: Volume 9 : Issue 86 My company has been hit by the Burglar.1150 virus. In most cases we have successfully detected it. We are using a Mcafee NLM virii program on our network servers now to protect reinfection of the server. However we are having trouble with a few PC's and believe it to also be Burglar, however both f-prot and mcafee are not detecting anything. Here are the symptoms: Boot- check mem /c devices loaded high. Run windows 3.1, check memory from dos prompt, devices loaded high. Quit windows, check memory, all devices loaded low and smartdrv, amongst some others are missing. Perhaps we have a different virus? or does Burglar have code to manifest itself?? Please advise. Thanks! Dan Renfrow -drenfrow@atk.com ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 86] *****************************************