VIRUS-L Digest Wednesday, 5 Jun 1996 Volume 9 : Issue 88 Today's Topics: Re: What is NOT a virus Scanning incoming mail Re : Macro viruses & the like ... Re: Question about Windows suspicious behavior Re: What is NOT a virus Anybody know anything good about RG Software?? Re: What is NOT a virus Re: Word Macro Virus cleaner wanted Re: Macro viruse-Clear and present danger Re: Win95 slowdown info (was: Re: Sporadic system slow-downs...) (WIN95) Re: AV Scanners and .doc file associations. (WIN) New Virus ? Help please. (PC) Re: fp-223 bug? (PC) Were_wolf.1500 (PC) Re: fp-223 bug? (PC) Re: F-Macro (PC) Re: InVircible and Word macro rogueware (PC) Re: TECHNION VIRUS (PC) Re: InVircible and Word macro rogueware (PC) Is my WIN95 infected??? (PC) Re: Jackal.B virus won't go away (PC) RE: CMOS strategies: BSV prevention (PC) servant virus? Hmmm!!! (PC) Disaster recovery of compressed volume (PC) Hard disk partition disappeared (PC) Re: Bios virus? (PC) Re: Form (PC) re: InVircible and Word macro rogueware (PC) Re: Macro Viruses - Clear and Present Danger. [long] (MAC,WIN) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 03 Jun 1996 09:28:58 -0600 From: "John C. Darrow" Subject: Re: What is NOT a virus X-Digest: Volume 9 : Issue 88 > [Moderator's note: In answer to Gary's first question, Jimmy's paper is > available as ftp://ftp.ncsa.com/notvirus.txt, and is well worth reading.] Make that ftp://ftp.ncsa.com/pub/notvirus.txt [Moderator's note: The dangers of working offline, trusting your notes and not checking when you later get a chance...] ------------------------------ Date: Mon, 03 Jun 1996 09:33:39 -0700 From: Kolar Mahesh Subject: Scanning incoming mail X-Digest: Volume 9 : Issue 88 Eli Ross wrotein Digest: Volume 9 : Issue 87 >Who produces the best anti-virus scanner for incoming Internet >files, ie, email (and attachments), newsgroup headers and >postings and WWW site downloading files? MIMEsweeper (developed by Integralis) will scan your incoming files with attachments - it works in conjunction with virus scanners. For more information and a demo, please feel free to contact Central House Technologies. Regards, Kolar Mahesh Technical Support Central House Technologies Phone : (209)-245-5900 Fax : (209)-245-5919 Email : kmahesh@centralhouse.com ------------------------------ Date: Mon, 03 Jun 1996 09:44:37 -0700 From: Kolar Mahesh Subject: Re : Macro viruses & the like ... X-Digest: Volume 9 : Issue 88 I have been following with interest the thread on the discussion of macro viruses, viruses in file attachments etc. MIMEsweeper (developed by Integralis) is a solution worth trying out - we have an smtp version and also a cc:mail version which will scan all e-mail file attachments for viruses before they hit the mail PO. For more information and downloading a demo, please contact Central House Technologies. Regards, Kolar Mahesh Technical Support Central House Technologies Phone : (209)-245-5900 Fax : (209)-245-5919 Email : kmahesh@centralhouse.com ------------------------------ Date: Mon, 03 Jun 1996 16:31:57 +0000 (GMT) From: Andrew Wing Subject: Re: Question about Windows suspicious behavior X-Digest: Volume 9 : Issue 88 Kevin R. DuPre' (dupre@bjc.hfh.edu) wrote: : We have a group of machines that exist between two buildings on a large : urban hospital campus which are PCs of various manufacture. All machines : are running Windows for Workgroups 3.11, and are using Frontier : SuperTCP/NFS for Windows for functions like telnet, net printing, NFS, : file transfer, and e-mail. [snip] : The system boots ok, and runs Win. Suddenly, it bounces back to the DOS : prompt, killing Win and whatever application was running. Restarting Win : from DOS works ok, only the network software refuses to bind to the : interface. You have to power down and then restart, only to run into this : problem again sometime later. It makes it very difficult to get any work : done, and prior to May 18, all these machines were fine and exhibited no : such behavior. [snip] : It just seems strangely : coincidental that 10 or so machines running the above environment and : split between two buildings with only a network connecting them would : suddenly all begin behaving the same way. There are other such : environments in the hospital on other departmental subnets, but I've not : heard any complaints, so I'm also assuming that it's not anything : particular to the combination of Windows for Workgroups and the Frontier : software. Sounds like a network problem. Have any OS/shell updates been applied? Your symptoms sound like the Novell "Black Screen of Death". Are all the affected machines on the same segment? Common router? Are they on thinwire? Have you run NIC self tests on all the machines? Maybe you've got an intermittent jabber. - - Politics is not the art of persuasion, it's the science of selfishness. Big Brother isn't watching you, you're watching Big Brother,all 181 channels "Speeding down the misinformation superhighway" Andy Wing agwing@astro.ocis.temple.edu awing@thunder.ocis.temple.edu ------------------------------ Date: Mon, 03 Jun 1996 19:15:24 +0000 (GMT) From: Robert Michael Slade Subject: Re: What is NOT a virus X-Digest: Volume 9 : Issue 88 F/WIN Anti-Virus Support/Ordering (fwin_sup@ix.netcom.com) wrote: : 2. How do the anti-virus vendors who wish to respond to this question : feel about the idea of someone creating a FAQ for what is NOT a virus? In answer to Gary's *second* question, I think the idea of providing the information is a good one, but that it probably doesn't deserve a FAQ of its own. I would suggest looking at the current VIRUS-L FAQ and the material that addresses this sort of thing already. If you can put together something that fills a gap, then by all means submit it. (Nick is the guy to send it to, so that makes it easy for you :-) ------------------------------ Date: Mon, 03 Jun 1996 22:21:31 +0000 (GMT) From: gspence@ix.netcom.com Subject: Anybody know anything good about RG Software?? X-Digest: Volume 9 : Issue 88 Anybody have any information about a company called RG Software? For quite awhile they've been calling & mentioning some program call No More blankety blank Viruses. Never heard of them or it. Prefer someone not connected with RG Software to comment. Please do not reply Harald Horgen - you represent them. Many thanks, Gary ------------------------------ Date: Tue, 04 Jun 1996 01:21:51 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: What is NOT a virus X-Digest: Volume 9 : Issue 88 F/WIN Anti-Virus Support/Ordering writes: >The May, 1996 issue of "NCSA News" featured a very interesting article >titled "What is NOT a Virus". The author was Chengi Jimmy Kuo, >Director of Anti-virus Research at McAfee Associates, Inc. Oh no, now people know what I'm supposed to be doing instead of answering questions here. :-) >The article lists several common scenarios in which McAfee's technical >support was contacted for something a customer thought was a virus, but Just wanted to note that I had help from many who work at competing companies. >wasn't. I'm not talking about SCAN getting false alarms. The article >is about symptoms that users experience that leads them to believe >they're dealing with a virus, when they really aren't. In my opinion, >Jimmy did a really great job on this article. There's enough details >in it to make it really useful, and the kinds of scenarios he describes >are relevant to many computer users. Thank you. And to those interested, it takes just 10 minutes to read. I fully encourage people to read it. :-) >I have a few comments about this article, and this topic in general. > >1. Is this article avaiable for downloading anywhere on the internet? I have made arrangements for it to be downloadable from ftp.mcafee.com in pub/antivirus. This means that similarly it should be reachable from www.mcafee.com through the download mcafee antivirus software path. If however you have trouble downloading it, feel free to send me email and I will send you a uuencoded copy. Also as noted below, it's available as a TXT file from ncsa.com. >2. How do the anti-virus vendors who wish to respond to this question >feel about the idea of someone creating a FAQ for what is NOT a virus? >I would think that such a FAQ could benefit everyone's customers, as >well as the AV companies themselves. The customers would benefit by >being able to be more self-sufficient, and it may help to reduce the >number of calls somewhat to AV companies. Do any AV vendors have an >interest in cooperating in putting something like this together? Go for it. It will hopefully reduce call volumes at all the AV vendors. I have received many notes from other AV companies noting that it's nice to be able to just point someone to the paper and say, "That's what's happening" instead of needing 30 minutes to explain it. I will probably update this paper from time to time. Let's see, version 2 will be called, "What's Also NOT a Virus." Then "What's Still NOT a Virus." :-) >[Moderator's note: In answer to Gary's first question, Jimmy's paper is >available as ftp://ftp.ncsa.com/notvirus.txt, and is well worth reading.] Thank you for such words. At ncsa.com, you can get the file in TXT format. The file I will post is .DOC file (WinWord6). Feel free to redistribute. Jimmy cjkuo@mcafee.com [Moderator's note: As mentioned elsewhere, I got the URL wrong. The correct one is: ftp://ftp.ncsa.com/pub/notvirus.txt] ------------------------------ Date: Tue, 04 Jun 1996 10:36:47 +0100 From: "David W. Hanson" Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 88 jonvwill@iastate.edu wrote: > Certainly it would not be an ideal system in all cases, such as the > one described above. However, given: > > 1) Most people don't seem to make as much use of the macro > capabilities of MS Word as this, I'm sure that the virus writers are laughing their heads off when they hear such a suggestion. I certainly must take exception! While most people don't seem to -write- macros, many people -use- macros, at least here. And the easiest way to get someone to use a macro is to write the macro in such a way that the user is not aware that they are running a macro. Auto macros are essential for achieving this. What I hear being recommended is to disable one of the most useful functions of Word. To me, this is not much of a solution. Do this, and the people who write the viruses win the battle! What you are asking me to do is to cut off my foot to prevent me from stubbing my toe. Disabling auto macros is a way to protect yourself from macro viruses, but it is not a "good" way, since you sacrafice functionality. There has to be a better solution. David Hanson Armed Forces Recreation Center Europe Garmisch-Partenkirchen Germany hansond@afrc.garmisch.army.mil ------------------------------ Date: Tue, 04 Jun 1996 10:53:34 +0000 From: Szappanos Gabor Subject: Re: Macro viruse-Clear and present danger X-Digest: Volume 9 : Issue 88 Jonathan Williams wrote in Digest: Volume 9 : Issue 87: >Incidently, from everything I've read, Word 2.0 doesn't have the macro >capabilities necessary for macroviruses to funtion on it, so pc's running >it are (supposedly) not in danger. I don't have personal experience >with this, however. This is not quite true. There is at least one macro virus (Polite) and one trojan (WiederOfnnen) written in Word 2.0. It is very unlikely that you will ever encounter these (that's why there are not specific defenses on the Word 2.0 platform) but they still exist and the possibility to write viruses in Word 2.0 still exists. It is just a lot easier to create viruses in Word 6.0/7.0 Szapi ------------------------------ Date: Mon, 03 Jun 1996 20:33:59 -0400 From: MelodieMcB Subject: Re: Win95 slowdown info (was: Re: Sporadic system slow-downs...) (WIN95) X-Digest: Volume 9 : Issue 88 The kernel patch improved my system performance by a factor of 3. The memory leak was slow but difinite over time... ------------------------------ Date: Mon, 3 Jun 1996 08:08:59 From: Padgett 0sirius Subject: Re: AV Scanners and .doc file associations. (WIN) X-Digest: Volume 9 : Issue 88 In article <0009.01I5D3OQS12QUBASOQ@csc.canterbury.ac.nz> Andrew Lord writes: >Do any of the respected AV programs become invoked whenever you click >on a .doc file - scan the file and then pass control over to MSWord? Sorry, not all WORD documents come across from ccMail with a .DO? extension, at least not in a heterogeneos environment. Infected documents sent from a Macintosh client have no extension at all and ccMail passes them to WORD on a PC with a .TMP extension. The nasty part is that I have not been able to duplicate the .TMP addition with PCs alone, it takes a Mac client sending over ccMail to a PC client. Of course you can send something with a .TMP extension to yourself... I would like to know how MS-Mail acts in this instance. A. Padgett Peterson, P.E. Cybernetic Psychophysicist Totally Obsessed with TransOceanics My other car is a Pontiac too We also walk dogs PGP 2.7 Public Key Available ------------------------------ Date: Mon, 03 Jun 1996 15:52:46 -0700 From: Frank Bucher Subject: New Virus ? Help please. (PC) X-Digest: Volume 9 : Issue 88 I got a Problem on one of our PC, and think it might by an new virus, though neihter the Mcaffe nor the F-Prot antivirus programms founds any hints of an virus. This is what happens: The first Problem occurs, when Windows chrashed. It is a quite normal thing, but after a cold boot , win cames up with the Message, the 386spart.par is defect. Ok I erased it, and build a new one. But every time I started up windows, the same message appeared. After a few hours of work, I realized that my .com files were longer as the should be ! Also the attributes of the infected files were changed. Every .com file i once started had 7679 bytes more than before the start. The most COM Files wouldn`t work afterwards. I thought about an Virus, and booted the PC with a Floppy, to let a scanner do its work. But after I Booted from Floppy disk, there was no Hard disk anymore. I decided to save my datas from the disk an rebuild the Disk completly. So I after the backup I booted from a clean disk, run fdisk (/mbr first) and formatet the Partitions. After I had almost everything new installed on the PC the same things happend again. Maybe I copyed an infected file back on the system, but I thought I deleted every file, that could distribute an virus. This time I tryed to get rid of the Problem by deleting the infected files, rebuild the partions, delete the System from the disk and restore everything from clean disks. But it doesent work. The things occur again, but no viruses were found! Is it a Virus? can somebody help me? has someone similar problems? Thanks - ----------------------------------------------------------------------Frank Bucher Institut fuer Prozess- und Anlagentechnik FG Angewandtes Maschinenwesen Prof. Dr.-Ing. P.-J. Murasch Tel 030 / 314 - 24616 TU Berlin Sekr. BH 10 FAX 030 / 314 - 22253 Strasse des 17. Juni 135 EMAIL frank@imwsir.bg.tu-berlin.de 10623 Berlin Germany - ----------------------------------------------------------------------- ------------------------------ Date: Mon, 03 Jun 1996 09:23:07 -0700 From: David Shao Subject: Re: fp-223 bug? (PC) X-Digest: Volume 9 : Issue 88 In article <0016.01I5HNSTRL42UBAMTP@csc.canterbury.ac.nz>, Fridrik Skulason wrote: >No. You are just using the program incorrectly. You should NEVER use >the heuristics to scan non-executable files. The reason this message is >generated is simply because this file is currently open in "exclusive" >mode by F-PROT itself. I am using Windows 95. I rebooted and scanned with the following-- Method: Heuristics Search: Hard disk Action: Report only Targets: Boot/File Files: Standard Executables F-PROT Shareware version 2.23 seemed to work perfectly fine. I then reran the scan changing only the Method to Secure Scan. Still fine. I then reran the scan changing only the Method to Heuristics. Now I get the messages the previous posters got. If I am misusing the product could you tell me what I am doing wrong? I never had this occur using F-PROT 2.22. David Shao ------------------------------ Date: Mon, 03 Jun 1996 19:01:02 +0200 From: Antonio Stano Subject: Were_wolf.1500 (PC) X-Digest: Volume 9 : Issue 88 Guys i got Were_wolf.1500 virus..found only with f-prot 2.23 ..how can i clean it?? ------------------------------ Date: Mon, 03 Jun 1996 18:50:06 +0000 (GMT) From: Christiane + Mario Laboch Subject: Re: fp-223 bug? (PC) X-Digest: Volume 9 : Issue 88 On 3 Jun 1996 12:02:37 -0000, Frisk wrote: >>In <0026.01I5C1SCTTA6UB9WRC@csc.canterbury.ac.nz> "Ubaldo J. SA LOPES" >> writes: >> >>>Downloaded f-prot version 2.23 from Garbo site and then report: >>> >>>"Error opening temporary file F2___TMP.TMP" >>> >>>when scan with Method: Heuristic. >>> >>>Is this a Bug? >> >>No. You are just using the program incorrectly. You should NEVER use >>the heuristics to scan non-executable files. The reason this message is >>generated is simply because this file is currently open in "exclusive" >>mode by F-PROT itself. This may be the reason for this message but this happens to many files also scanning (heuristic) only executable files when booting from a clean disk with using only 640 KB base memory. If I use a boot disk with the memory managers , F-prot works fine. So there seems to be a memory problem. Mario ___________________ Mario Laboch Laboch@t-online.de ------------------------------ Date: Mon, 03 Jun 1996 05:00:34 +0000 (GMT) From: George Wenzel Subject: Re: F-Macro (PC) X-Digest: Volume 9 : Issue 88 Zvi Netiv wrote: >Try InVircible. IV can install a quick check for the presence of Word >forced macros in selected directories, right in the autoexec. Available >from the sites in my signature. Note that this will NOT detect macro viruses, only the presence of autoopen and autosave macros. While these may indicate that a virus might be present, it might not. IVX (InVircible's macro detector) will false alarm on any non-infected file that contains one of those macros, and it does not detect macro viruses that do not rely on those macros (i.e. DMV). I'd suggest downloading another anti-virus product if F-Macro is giving you problems, or you might want to contact frisk@complex.is to see if he can help. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' HTTP://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Mon, 03 Jun 1996 05:13:35 +0000 (GMT) From: George Wenzel Subject: Re: InVircible and Word macro rogueware (PC) X-Digest: Volume 9 : Issue 88 In article <0021.01I5HNSTRL42UBAMTP@csc.canterbury.ac.nz>, Zvi Netiv wrote: >Several posts to this group referred to the new Word macro feature in >InVircible's correlator, IVX. The following is my response to the points >made by the posters. > >First, InVircible does not detect macro viruses but "forced macro" and >there is a difference. Detecting specific macro viruses and naming them is >what scanners and dedicated anti Word macro products do. IVX does not >identify specific macro viruses or Trojans by name, but flags them (or >not) by the macros they contain. Granted, but InVircible is an anti-virus product, correct? IVX also flags numerous uninfected files as being suspect. If I was an end-user, and my anti-virus program said a file was suspect, I'd be worried about opening that file. I would go through a lot of grief by having to send it to the AV manufacturer to confirm whether or not the file was infected. Do you see now why a false alarm is a problem? >Some of the posts referred to IVX "false alarms". May I ask, false alarm >on what? I could accept the definition if IVX flagged on Microsoft's >ScanProt template as if it was Nuclear, or Concept. Yet all that it >indicates is that ScanProt contains an auto executing macro. No, IVX does not just say that ScanProt contains an autoexecuting macro. It says that the file is 'suspect'. This is EXACTLY what IVX says when it scans a file that really is infected. There lies the problem - if InVircible is supposed to detect viruses, and IVX is supposed to detect macro malware, how is the end-user supposed to tell if a file is really infected or not? IVX won't give a definitive answer, so the user would have to get another anti-virus product to find out whether the file was really infected. Therein lies the problem with generic solutions - they do not say for sure whether a file is infected or not - they can only say that it is 'suspicious' or 'suspect'. This, in my opinion, is a false alarm if the file is not infected. >Well, >ScanProt CONTAINS the AutoOpen macro. :-) Then where exactly is the false >alarm? But ScanProt is an uninfected file. Why would it be 'suspect'? >Responding to users suggestions, the texts in the high / low risk messages >were changed to "auto macro found" and "potentially risky macro found", >respectively. The practical aspect is that if you encounter the first one, >don't take too much chances an clean it with IVX. Unless you KNOW what >macros the document or template contains (see the ScanProt example, >above). With the low risk category you can afford peeking into its macros >with ToolsMacroOrganizer, before you decide whether to remove the macros. So this means that the user is left to decide for themselves whether the file is really infected? Doesn't sound like a workable solution to me. >Cleaning forced macros with IVX will erase all macros contained in both >the high and low risk categories. This should do for the macro malware >currently in the wild, as well as for the seeable future. Granted, IVX would work well to remove all macros, but there are numerous times when macros (even auto macros) are required. I think I'll download the new copy of IVX (yet another update, I guess) to take a look and see if the problems with it have really been fixed. I must commend Mr. Netiv for not throwing accusations at the people who criticized IVX. I also commend him for addressing the issues brought up and trying to fix them. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' HTTP://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Mon, 03 Jun 1996 05:17:56 +0000 (GMT) From: George Wenzel Subject: Re: TECHNION VIRUS (PC) X-Digest: Volume 9 : Issue 88 In article <0018.01I5HNSTRL42UBAMTP@csc.canterbury.ac.nz>, Zvi Netiv wrote: >1) Before committing your files to disinfection by a scanner, check that >the disinfection routine works on a couple of samples. You should expect >that things will get worse with the increased numbers of viruses. There is >no way to qualify every update on both the detection and removal of the >thousands of viruses they claim handling. This is simply false. The quality assurance teams of most anti-virus products work towards minimizing these sorts of things. >2) Consider switching to generic AV. Integrity based AV isn't virus >specific and will be as effective when there are 18,000 viruses as when >there were just 180. While generic products have their place, I don't think that anything will ever totally replace a good scanner. I like generic products as a backup, just in case the scanner misses something, but I consider scanners to be more effective overall in detecting and removing viruses. Regards, George Wenzel ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' HTTP://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Mon, 03 Jun 1996 19:37:53 +0000 (GMT) From: Bruce Burrell Subject: Re: InVircible and Word macro rogueware (PC) X-Digest: Volume 9 : Issue 88 Zvi Netiv (netz@actcom.co.il) wrote: > Several posts to this group referred to the new Word macro feature in > InVircible's correlator, IVX. The following is my response to the points > made by the posters. [snip] > Note that which macros are contained in the high or low risk categories of > IVX is based on current experience and on predictions of what rogueware > authors may do in the future. There is no need to panic as the > possibilities to exploit these macros are finite, and rogueware author are > at total disadvantage in regard of our response time, compared to the time > required for malware to spread. So this means that (a) InVircible is dealing with macro viruses on a probabilistic basis, and (b) IV will need to be updated as the actual threats change. :-( The first point is similar than what many scanner vendors must do -- work on the most dangerous problems before the "lab" viruses or the localized/low threat assessment ones. The latter, though, would imply that we'll expect to see releases of IV in response to the macro viruses of the future, yes? [snip] > Responding to users suggestions, the texts in the high / low risk messages > were changed to "auto macro found" and "potentially risky macro found", > respectively. The practical aspect is that if you encounter the first one, > don't take too much chances an clean it with IVX. Unless you KNOW what > macros the document or template contains (see the ScanProt example, > above). I believe you've missed a possibility here. What if the user has a possibly infected SCANPROT doc? The user must make a judgement here: either s/he disinfects SCANPROT, which will trash it if it isn't infected, or leave it alone, in which case the virus will spread if SCANPROT is infected. This relies on the expertise of the user, which is a Bad Thing. May I suggest that, as your time allows, in a future release you let IV do the thinking instead of the possibly naive user? My guess is that the best way to do this would be generic evaluation of the macro code, but there are other alternatives. > With the low risk category you can afford peeking into its macros > with ToolsMacroOrganizer, before you decide whether to remove the macros. > > Cleaning forced macros with IVX will erase all macros contained in both > the high and low risk categories. This should do for the macro malware > currently in the wild, as well as for the seeable future. I'm not a specialist in macro viruses, so perhaps this is a silly question. I'll ask anyway: What happens for the compiled macros? Don't those get missed entirely? Or are they buried in the low risk category? -BPB ------------------------------ Date: Mon, 03 Jun 1996 19:43:58 +0000 (GMT) From: WEBERS TOMAS Subject: Is my WIN95 infected??? (PC) X-Digest: Volume 9 : Issue 88 I've used TBAV for some time now, but I'm having a problem in Win95... I installed Thunderbyte AntiVirus under the DOS6.22-boot partition of Win95. No problem here... BUT if I scan the Win95-partition it gives me an 'COMMAND.COM' 'IO.SYS' and 'MSDOS.SYS' WARNING. (it says it has been changed). I know the COMMAND.COM, etc are different in Win95 AND DOS6.22, but as it is a win95 version the system should know the difference between COMMAND.W40 and COMMAND.DOS... So the main problem is: do I have a virus or NOT???? Hope someone can help me - before I loose my mind! 8-) Tom. ------------------------------ Date: Mon, 03 Jun 1996 21:01:24 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Jackal.B virus won't go away (PC) X-Digest: Volume 9 : Issue 88 David Marcil <74653.1276@compuserve.com> writes: >My father-in-law has a virus called "Jackal.B" and he cleans it up with >McAfee anti-virus. When he reboots the machine the virus is still >there. If he does a scan after he cleans the machine the virus is no >longer detected but once he reboots it shows up again. He cleaned it up >on other computers and it went away. Is he doing something wrong? You don't have a virus. You have version 22B of Scan which was withdrawn. Please update your copy by downloading the latest from www.mcafee.com or ftp.mcafee.com. Jimmy cjkuo@mcafee.com ------------------------------ Date: Mon, 03 Jun 96 16:27:04 From: richardb@intecolor.com Subject: RE: CMOS strategies: BSV prevention (PC) X-Digest: Volume 9 : Issue 88 On Wed, 22 May 1996, Russell Smith quoth: > One thing more and more knowledgeable people are spreading the word >about is the need to protect against BSV (Boot Sector Viruses) by setting >CMOS values to disable floppy drive seek on boot. This is excellent >advice [SNIPPED MIGHTILY] > So what's a solution besides teaching all users about how to exit CMOS >gracefully? The best solution is to use the Password feature for CMOS. >Three unsuccessful tries at the password and then the novice will merrily >be booting into where he needs to go, without doing any damage to our >antivirus measures. I recommend this action highly. In a lab or >workplace setting a single CMOS password known only to several people >will prevent a lot of grief. This is A solution, but I do not believe it is the BEST. >From a manufacturer's standpoint - this can cause AS MANY PROBLEMS. If a user accidentally gets into CMOS and is confronted by an Enter Your Password prompt, this will generate phone calls! We experimented with a manufacturer's default password (MONGO just doesn't really sound that professional, ZEUS is too stuck up) and forced security features and found that we were receiving many more tech support calls. We then tried a TRIVIAL change in the implementation of the BIOS (AMI) so that the BIOS defaults had Boot sequence C: then A:. This is handled in a table in the BIOS and could even be easily incorporated in the field (if you have a Flash BIOS). Now, it's still possible for the hypothetical boneheaded user to get into CMOS, change anything they wanted, and totally screw up the works, but, if they follow the logic in your post, they'll at least get defaults that help them rather than hinder. by $.02 worth. Ein seliger Sprung in die Ewigkeit. ------------------------------ Date: Mon, 03 Jun 1996 16:32:14 -0700 From: CIS Subject: servant virus? Hmmm!!! (PC) X-Digest: Volume 9 : Issue 88 I am using McaFee's anti-virus program to scan my computer, and it is giving me a message saying it found traces of SERVANT virus. But, when I scan my disk drive, there is nothing detected. Wonder why???? Ravi ------------------------------ Date: Tue, 04 Jun 1996 02:40:35 +0300 From: Zvi Netiv Subject: Disaster recovery of compressed volume (PC) X-Digest: Volume 9 : Issue 88 At 08:41 AM 3/6/96 GMT-6, Jim H wrote: > I read your comments in the Virus-L digest, with special interest. I > noted that you said that your product, ResQdisk, would restore > partition tables on trashed drives. That's correct, although I'm afraid it could be too late in your case, yet it's worth giving it a try. > I have a Connor 420 drive which was compressed through Win95's > Drivespace3. This drive was in my system as "D:". > > Late one night, I had a problem. The system agent in WIN95 was > running Scandisk, and it tangled with the McAfee Virus TSR on drive > C:. The end result was I lost over 3.500 files from c:. When I took > the computer to an "expert" to repair c: he did just that. He simply > formatted c:, which lost my drivespace file for d: from the root of c: There might still be a chance, provided your "expert" as you correctly called him didn't do a too thorough job, i.e. using the /U parameter when formatting the drive. Yet before proceeding, let me first point the many mistakes that were made so that you don't repeat them. Dynamic compression is the worst solution for gaining storage space. The right solution is adding a second drive, and then replacing the first one when out space and so on. Except lot of space, dual drives are also the most cost effective solution for mutually backing up critical data. If you still plan using dynamic compression in the future, then NEVER, NEVER, NEVER place the compressed volume file on the boot partition, nor in the same partition with another active non-compressed drive. Always put a compressed volume in a separate partition, with enough non-compressed space just for the automatic saving of the CVF header. All that it takes to kill a compressed volume is just trashing the FAT of the CVF host and kiss your volume goodbye. And last, consider if dubious virus _prevention_ is worth risking your data. The most dangerous are anti virus TSR, activity blockers and VxD. As a rule, any program that may intervene and block an ongoing process is a much bigger threat than what it tries to prevent. > I have been trying to recover the trashed Connor for about five > months. Nothing works. I have tried Norton 8.0, Norton for Win95, > Partition Magic, and others to no avail. I cannot create a partition > on this disk, as it thinks it has no space available. (It has some > 800 meg compressed on a 420.) As I cannot create a partition, I > cannot format the drive. I have already given up on recovering the > data on that drive. As said, there is still a slim chance to recover the data, depending on the extent the Norton utilities messed things. Partition Magic is all wrong here, it's like attempting CPR on a five thousands years mummy. > Can your ResQdisk repair this problem? ResQdisk is needed to verify that the boot block (MBR and boot sector) corresponds to the geometry of the drive. Read the documentation how to check these (a quick check with ResQdisk's functions F5, F6, F7 will tell you if all parameters fit to each other, ^F4 and ^F5 will cross- check the data in the MBR and the boot sector). In case the parameters need correcting then ResQdisk (registered) can do the job. Next run UNFORMAT C: /U when booted from external DOS. Win 95 may not let you to proceed and halt the computer, it's built into Win95 for protecting the long filenames. Protecting the latter is not your major concern as things stand. When done with UNFORMAT, you'll get in the root several directories with generic names. It's possible that you also see a huge file which is actually the CVF. If not, then run CHKDSK /F and the CVF should surface with the name FILE000x.CHK, where x is a number. Your mistake in using the Norton utilities (probably NDD) is that disk repair utilities of this type work their way from the FAT and root upward, while UNFORMAT goes the other way round - assuming that the FAT and root are void and figuring out directories and files from top to root. If lucky and the CVF can be surfaced then do this: Go to another machine that Uses DriveSpace and take a look at the name of the CVF (you'll need a file viewer that can read through System, Hidden and Read Only attributes). Also, look at the construct of the DriveSpace ini file, it should be in C:'s root. Prepare a boot floppy on that machine and edit an ini file to A: accordingly. If the ini file mentions a driver name, then make sure that the driver is on the boot floppy too. If not, then copy the driver from that hard disk to the floppy. Go back to your drive, rename the big file - possibly the CVF to the default name and boot from the floppy you just prepared. You might be lucky and see your D: drive back. Good luck! Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 03 Jun 1996 21:16:34 -0500 From: Vincent Tumminello Subject: Hard disk partition disappeared (PC) X-Digest: Volume 9 : Issue 88 Last weeek all of a sudden my computer hung. Had to boot from floppy. Got in touch with Gateway 2000. Ran fdisk as suggested and there was no hard disk partition on my c:drive. They said it had to be a virus. Ran both Mcafee and NAV and no viruses were found. Re formatted my hard disk and up to the present, all is well. Why didn't Mcafee or Norton find a virus? Was it because I reformatted my hard disk?? Vince Tumminello [Moderator's note: FDISK showing "no partitions", a hardware vendor's phone diagnosis and I'd only trust my own eyes! In my experience, what you saw was much more likely not caused by a virus and without further evidence it was grossly irresponsible of Gateway to suggest it "had to be". I have seen similar things because part of a WinWord document has been written over the MBR and beginning of the FAT and no virus in sight. Most liekly, your AV software didn't report any viruses because there were none present--simple, eh?] ------------------------------ Date: Tue, 04 Jun 1996 15:40:23 +1000 From: Ford_Prefect Subject: Re: Bios virus? (PC) X-Digest: Volume 9 : Issue 88 DarStec wrote: > In article <0036.01I51JAH6G9ESKZV5A@csc.canterbury.ac.nz>, > jonvwill@iastate.edu writes: > > >stephen.l@ukonline.co.uk wrote: > > > >> Today I called in to a computer dealer/repairer to exlain my computer > >> problem to him and see if he could help. > >> > >> Problem is-I have a Diamond Stealth graphics card PCI, when I boot up > >> nothing appears on my screen and it go's into power down mode approx > >> 8 seconds.I get 1 long and 2 short beeps indicating a video problem. > >> I took out this board and inserted an ISA graphics board, booted from > >> the floppy a drive presto I have a screen display "bios rom checksum > >> error".I still have no c drive recognition.I've tried all the relevant > >[rest deleted] > > > >Perhaps a dead bios battery is a more likely candidate? > Sounds like your bios got reset. If that is the case, your checksums would have been reset, your pci ports MAY have been turned off, and your drive settings would have been reset. solution. enter your bios, checksums will automatically be fixed. have a look at your pci settings, make sure they are on, and scan for hard disk drives. this should work, I think. good luck. ------------------------------ Date: Tue, 04 Jun 1996 07:04:48 +0000 (GMT) From: Bruce Burrell Subject: Re: Form (PC) X-Digest: Volume 9 : Issue 88 Bill lambdin (vfreak@skn.net) wrote: > S. Widlake" writes > > > Sorry, not true. It is not always safe to SYS a hard drive. It depends > > on the validity of the partition table and the current contents of the > > boot sector. The possibility of these being invalid to such an extent > > that SYS will result in drive corruption, eg. overwritten FAT's, may be > > rare but > > SYS does not do anything to the MBR (partition sector), and I clearly > identified this should only be used on Form, and Boot.437 viruses Not the point. *IF* the MBR is hosed in some subtle way, using SYS will make matters worse, _particularly_ when SYS is run from floppy; the proof of this assertion is left as an exercise for the reader. What matters is that SYS knows nothing about viruses, and the method is foolhardy because of this fact. Yes, it is usually safe. Yes, if everything else is as expected, it will remove FORM and Boot.437. But what about when something weird is afoot? At least AV software has a chance; SYS is just going to make hamburger of the drive. "Oops. Sorry about that advice, pal. Hope you had a good backup. No, I won't pay for your data recovery; you wanted a quick solution. You should have downloaded the AV software like I told you. What? Why did I recommend the SYS procedure at all if I knew it could go wrong, Uhhhhhh...." -BPB ------------------------------ Date: Tue, 04 Jun 1996 08:56:19 +0000 (GMT) From: mbrunner@aixterm1.urz.uni-heidelberg.de (Matthias Brunner) Subject: re: InVircible and Word macro rogueware (PC) X-Digest: Volume 9 : Issue 88 Zvi Netiv seemed to change his way of discussing. I wellcome that really! Also when it was a kind of pleasure to follow the "private battle" of Zvi, Stefan, Iolo and others it would be a nice idea to return to the "important" usual business of the group. Go on! Do the best for the sake of the suffered "user", against comp. viruses! Thanks again for all, taking the time to do their best in answering all the incoming questions and trying to solve problems! Best greetings Matthias ------------------------------ Date: Mon, 03 Jun 1996 15:02:25 +0000 (GMT) From: Totally Lost Subject: Re: Macro Viruses - Clear and Present Danger. [long] (MAC,WIN) X-Digest: Volume 9 : Issue 88 In article <0006.01I5FXU2ASWQUBAT4D@csc.canterbury.ac.nz>, Andrew Lord wrote: >At our site some of us use MS Word 2.0 , some MS Word 6.0 and other >both. > >We recently upgraded our MS Word 6 to ( suppossedly ) protect against >Macro viruses This was a patch from Micro$oft. The threat is not just Word, but even stronger in other Microsoft Office products that include Visual Basic, which is more richly featured than Word Basic .... and includes the ability to access the filesystem and run other application. It's note clear that Microsoft has done enough to remove the threat from Word, and I know of nothing for the other applications yet. A Microsoft employee has made it clear that this is not *JUST* a MS, problem, but many competitors have similar features in their office products. John - --------------------------------------------------- Rocky Mountain Internet Users Group Disscussion List - Friday May 24, 1996 To recap, and expand on the Microsoft Office threat discussion, I would like to consense the last week's rmiug discussion into this document. Microsoft has been aware of this problem for atleast 6 months, and has done little toward getting safe software in users hands. The risks have been played down because the initial attacks have all been harmless. Netscape and Sun JAVA continue however to get media coverage when the threat they represent to the internet community is only a very small fraction of this. The Microsoft office suite should receive the same degree of concern as Netscape and JAVA in regard to security issues. Particularly since the recient Challenge attack has proven able to escape detection by current scanning software targeted primarily at the Concept class. The Microsoft products: Access, Excel, Word, and possibly other widely used Micrsoft applications incorporate a richly featured Visual Basic Macro language which allows not only access to the filesystem, but to directly load, execute, and control other applications on the system. Macros written in this language can be either embedded in a document or part of a global macro pool. Microsoft provides a number of predefined function names for macros to control operations in relation to particular periods of document use. These function names include: AutoOpen - a function which, if it exists, is called as the document is opened. AutoEntry - a function which, if it exists, is called as fields in the document are entered. AutoClose - a function which, if it exists, is called as the document is closed. There are, depending upon the application, other entry points that exist as well ... some of which are not well documented, if at all (the Challenge macro virus proves this point). Documents which are then emailed as attachments with macros, will have those macros executed transparently and without the knowledge of the reader as they access the document attachment from Microsoft Mail or other mail readers which support automatic access to attached documents. Macros written using these facilities are hw independent, and may be activated on any hw platform the application has been ported to. At this time this includes PC's under DOS and Windows, Macintosh systems, and several Unix platforms (Sun?, SCO?) where MS Word has been ported. These facilities in Microsoft products have all the same security risks that JAVA and other interpreted executable content WWW browsers have. However, Microsoft has not carefully restricted the feature set to meet acceptable security requirements. In fact, the richness of the Visual Basic environment leaves full access to a system by macro virus writers. As such, a number of viruses have been written exploiting this facility, that when combined with email attachments have proven to the highly effective and prolific. Todate, such macros have been almost harmless and used only a passive replication scheme based upon targeting NORMAL.DOT (the global macro pool in Word) and attaching itself to every document created or saved. The most widely known macro virus of this class is the "Concept" virus. This virus completely proves the concept of passing macro viruses thru corporate firewalls to infect all machines (PC's, Mac's, and Unix systems) behind that firewall which use Microsoft Word. Virus Scanners exist to detect some forms of this virus class. Other forms may be either difficult to detect, or implossible to differentiate from acceptable/normal uses of the features these viruses hide in. In most cases today, Microsoft Office users do not prescan attachments before opening them from Mail - nor is this easily done automatically in the frame work of the product in the field today. It is not uncommon for attached documents to be the primary communication form due to the stark difference between plain ascii mail and the rich document features available in Word. It is also not uncommon for attachments to be sent to global corporate lists such as the following example I received a while back: [Names changed to protect original clients identity - John] | To: *all-hands | Subject: Memo from Top Dog | Date: Tue, 27 Jun 95 14:13:00 CDT | Message-Id: <2FF058AF@MyClient.com> | Encoding: 5 TEXT, 655 UUENCODE | X-Mailer: Microsoft Mail V3.0 | X-Ms-Attachment: JULLTR1.DOC 29184 06-27-1995 14:10 | | | The attached memo is from Top Dog. | | [[ JULLTR1.DOC : 3654 in JULLTR1.DOC ]] | | The following binary file has been uuencoded to ensure successful | transmission. Use UUDECODE to extract. | | begin 600 JULLTR1.DOC The sender of such documents, if infected with a virus, will transmit the virus to the entire company with little concern by the recipients about checking it for a virus - a trusted source after all. Add the internet to the equation and we have an explosive brew that marches right thru all security firewalls. Now let's examine how this security nightmare can be used. First the biggest and worst nightmare of all. A macro virus which agressively replicates by extracting a list from the recipients address books and archived email folders and sending an infected attachment to everyone on the list. To improve the likelyhood the new recipient will open and read it, while reducing the chances of immediate detection, the subject and content are taken from incoming mail and the mail archive and hidden in the attachments as an updated version of the documents. The incoming message that started the attack is deleted to cover up tracks, a TSR is left in the system to erase all accessable local and network files in a few minutes. A memory parity error, or something random and similar, is left on the screen as the system crashes to hide the real cause. If initially seeded at the close of the european work day, and in the morning in the US, using every available public list - there is a high probablility that a large number of people will read the mail as it arrives, activating the attachment virus and infecting most if not all users at their site in the process when that mail is read a few minutes later. This strategy has a strong chance of infecting most MS sites (which is nearly everybody) within a few hours and trashing all the systems ... in it's wake will be a huge internet wide email flood as the virus replicates out of control for several cycles until the cause is identified and filters are introduced world wide to suppress it. This might take several days if several variants are introduced at the same time. Mean while several tens of millions of man hours are lost reloading machines that got wiped, and hundreds of millions more spent recovering data that was not backed up. On a lighter side, the attack can be used to do almost anything interesting an attacker wishes to systems behind a corporate firewall. From retrieving files to manipulating data or applications on that site. This might include starting up a local shell with the other end terminated at the end of an http/SSL link for full access to the targets security domain. This might include creating phony orders or payments, installing a virus or trojan horse in the product of the target company, to creating the appearance of fraud by the target as revenge ... with no tracks left behind as the virus deletes it's self after each attack. This attack need not be initiated from outside the firewall ... it could be done as an inside job with little to no tracks left behind. It can also be done as a shareware based attack without email. In the short term, the use of all attachments must be outlawed inside corp america and in government circles until Microsoft and other application vendors are forced to redesign their macro features with security in mind, with atleast the same restrictions as the JAVA design. Scanners are not likely to be useful on current products. Firewalls should filter attachments out of incoming email. Great pressure should be placed on Microsoft to provide this updated secure version as a free upgrade for existing customers. In the long term, we need an effective risk assessment body independent of manufacturers to prevent risks this large from facing our society and the world again -- CERT has been a total failure in this regard, as are several lesser known bodies. John Bass ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 88] *****************************************