VIRUS-L Digest Thursday, 6 Jun 1996 Volume 9 : Issue 90 Today's Topics: Re: Question about Windows suspicious behavior Re: Macro Viruses (Concept etc.) Help cracking MS Word password??(WIN95) Re: Hard disk partition disappeared (PC) Re: Were_wolf.1500 (PC) Re: Is my WIN95 infected??? (PC) Re: New Virus ? Help please. (PC) Thanks for your help (was: Re: Strange file Z!Z!Z!Z!.Z!Z) (PC) Re: Volume Label Virus (PC) Re: F-Macro (PC) Re: F-Macro (PC) virus prompt for Master Key? (PC) Re: Hard disk partition disappeared (PC) Re: Volume Label Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Tue, 04 Jun 1996 09:40:58 -0400 (EDT) From: "Kevin R. DuPre'" Subject: Re: Question about Windows suspicious behavior X-Digest: Volume 9 : Issue 90 Background: Mikko Hypponen of www.datafellows.com, the support group for F-PROT wrote to me concerning my initial post, saying it suggested that Datafellows was unresponsive in their support In my messages to the virus-l discussion group, I did not mean to give the impression that DataFellows was unresponsive, but that apparently if it was a virus that it was not known about, as several of the virus detectors turned up nothing. I am sorry if you interpreted my mail as purporting your organization as unresponsive. When I originally sent mail to Kristiina, she replied the next day assuring me that it would be forwarded to the appropriate member of your organization. I took "no response" as "this thing is unknown". We have since discovered that a bridged DECnet protocol coming from somewhere else in our hospital has created a condition that eventually crashes the Frontier Technologies network multiplexer driver that runs at the media layer directing ethernet frames based on protocol type. Blocking DECnet family protocol types from the subnet seemed to have rectified the problem. We thought it a virus because at first it seemed to exhibit virus-like behavior and coincidentally began on a group of machines spread across two buildings and connected by an enterprise network. Sorry for the confusion I may have cause by mentioning that I got no reply from your organization concerning this "virus-like" behavior. - --------------------------------------------------------------------- Kevin R. DuPre' Internet: dupre@bjc.hfh.edu Personal Internet: dupre@wwnet.com Whois: KRD2 ------------------------------ Date: Wed, 05 Jun 1996 14:15 +0000 (GMT) From: CLAYTON E RUTH Subject: Re: Macro Viruses (Concept etc.) X-Digest: Volume 9 : Issue 90 MoonDogg Shredder wrote: >> My primary problem with Word Macro viruses is getting them out of >> cc:Mail file attachments. I look forward to the day (hopefully soon?) >> when one of the many AV developers out there comes up with something >> that will intercept them and clean them up as they pass from cc:Mail to >> Word when the user double-clicks the attachment. > >I may be missing the point here, but I think what you are talking >about is already possible. We use Notes, Word, and NAV. With NAV set >to scan files upon opening, it will detect infected Word docs when >attaching to or detaching/launching from Notes. That's detection, not clean-up. The best solution appears to be Integralis' MIMEsweeper, used in conjunction with F-MACRO or other suitable removal tool, to get rid of the macro viruses upon their arrival via the Net. Clay Ruth PC Configuration Manager / Senior Lead Systems Software Analyst Sargent & Lundy, L.L.C., Chicago, IL http://www.slchicago.com Clayton.E.Ruth@SLChicago.Infonet.com ------------------------------ Date: Wed, 05 Jun 1996 10:08:44 -0500 (EST) From: Christopher Duro Subject: Help cracking MS Word password??(WIN95) X-Digest: Volume 9 : Issue 90 help! i'm an avid reader of this newsletter, but never though i'd need to post to it... i forgot the password to the only password-protected Word 7.0 doc I've ever bothered to protect. I know, stupid stupid... what application might help me break into my own document? i know this isn't strictly virus-related, but i'm desperate for help and would love to hear from anyone who's had to try to do this before. chris duro cduro@softkey.com ------------------------------ Date: Wed, 05 Jun 1996 14:10:44 +0000 (GMT) From: Zvi Netiv Subject: Re: Hard disk partition disappeared (PC) X-Digest: Volume 9 : Issue 90 Vincent Tumminello wrote: > Last weeek all of a sudden my computer hung. Had to boot from floppy. > Got in touch with Gateway 2000. Ran fdisk as suggested and there was no > hard disk partition on my c:drive. They said it had to be a virus. Ran > both Mcafee and NAV and no viruses were found. Re formatted my hard disk > and up to the present, all is well. Why didn't Mcafee or Norton find a > virus? Was it because I reformatted my hard disk?? Atypical to virus doing and very unprofessional advice. ResQdisk could recover your drive and data. Make an IV rescue diskette, you'll be able to recover from such in a minute. > [Moderator's note: FDISK showing "no partitions", a hardware vendor's > phone diagnosis and I'd only trust my own eyes! In my experience, what > you saw was much more likely not caused by a virus and without further > evidence it was grossly irresponsible of Gateway to suggest it "had to > be". I have seen similar things because part of a WinWord document has > been written over the MBR and beginning of the FAT and no virus in sight. ] Incidents of spurious writing to system areas are common. From about a hundred incidents in which the disk and data were recovered, we found a pattern that could explain a possible cause. About 5% were the result of an "unsuccessful" boot infection. A "successful" boot infection is one that either will let the hard disk self-boot or that can be removed with an antivirus product. These aren't included in our statistics. An unsuccessful one is where access to the drive was lost and recovery by disinfection was impossible. In the 95% of the cases left, no virus was involved. >From the 95% left, most incidents occurred when Windows crashed, few under DOS or in a spawn shell, with no tendency of a particular application to crash more than others. If there is a pattern here then installing software under Windows is scoring the highest in our statistics. The interesting part is the role of AV. In 80% of the cases, antivirus TSR/VxD was running on the machines at the time they crashed. Only about 15% or less of the surveyed computers population use any form of antivirus TSR or VxD. Therefore, AV TSR / VxD contribute in increasing the chances of such incident to occur. Other factors are bad or poorly designed software and sheer statistics. The explanation why AV TSR increases the probability of this kind of incidents is in the way they manipulate BIOS interrupt 13h. AV programs use hardware and OS specific low level instructions. It is quite common for AV to make use of undocumented (and dangerous) functions. Who is familiar with (and thankful, like I am) with Ralf Brown's lists knows what I am talking about. The results? You can read about them in issue 88 of Virus-L (5 June 1996), how 800 meg of valuable data were lost because of an AV TSR hanging while running Win 95's ScanDisk, with no virus in sight. Unfortunately this isn't an isolated case. As far as on-access / on-execution virus prevention is concerned, the cure is more dangerous than the disease itself. It is also redundent, especially so since there is a better and safer alternative. Regards, Zvi PS. Forgot to mention: Cats have four legs and one tail. Ducking out. :-) - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Wed, 05 Jun 1996 14:11:00 +0000 (GMT) From: Zvi Netiv Subject: Re: Were_wolf.1500 (PC) X-Digest: Volume 9 : Issue 90 Antonio Stano wrote: > Guys i got Were_wolf.1500 virus..found only with f-prot 2.23 ..how can i > clean it?? The latter versions of Dr. Solomon (7.59 and 7.60) remove WereWolf (checked!). I suppose F-Prot will remove it too in their next version, if you have the patience to wait. The name of the virus is Wulf.1500, WereWolf is the writer alias and to this date he released seven viruses, some are in the wild. Wulf first appeared in France in February but spread rapidly, since at the beginning of April it already paralyzed an international company's HQ for four days (a few hundred PCs and servers). If you had InVircible installed then you could remove WereWolf right away before it even got a name. After cleaning your files, it could be worth installing IV. Except restoring rapidly from virus infections it provides a few additional security features like auditing, integrity monitoring and recovery, a comprehensive rescue system and hard disk recovery. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Wed, 05 Jun 1996 14:10:51 +0000 (GMT) From: Zvi Netiv Subject: Re: Is my WIN95 infected??? (PC) X-Digest: Volume 9 : Issue 90 WEBERS TOMAS wrote: > I've used TBAV for some time now, but I'm having a problem in Win95... > I installed Thunderbyte AntiVirus under the DOS6.22-boot partition of > Win95. No problem here... > > BUT if I scan the Win95-partition it gives me an 'COMMAND.COM' 'IO.SYS' > and 'MSDOS.SYS' WARNING. (it says it has been changed). > I know the COMMAND.COM, etc are different in Win95 AND DOS6.22, but as it > is a win95 version the system should know the difference between > COMMAND.W40 and COMMAND.DOS... I suppose you think that Win 95 uses command.w40. :-) Wrong. The file names are swapped when switching from Win 95 to DOS and vice versa. See below. > So the main problem is: do I have a virus or NOT???? Relax, there is no virus, > Hope someone can help me - before I loose my mind! 8-) The following files are SWAPPED when switching from Win95 to previous DOS and vice versa: CONFIG.SYS AUTOEXEC.BAT IO.SYS MSDOS.SYS COMMAND.COM When under Win95 then the other files are renamed to *.DOS, and when in DOS then the Win95 files are named *.W40. What you are seeing is Tbscan "remebering" the other files anti-vir.dat signatures. TBAV 7 could have solved this problem, I am not sure as I prefer our own product, obviously. :-) With the older version of TBAV you could update the database by running Tbsetup. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Wed, 05 Jun 1996 14:11:07 +0000 (GMT) From: Zvi Netiv Subject: Re: New Virus ? Help please. (PC) X-Digest: Volume 9 : Issue 90 Frank Bucher wrote: > I got a Problem on one of our PC, and think it might by an new virus, > though neihter the Mcaffe nor the F-Prot antivirus programms founds any > hints of an virus. > > This is what happens: > The first Problem occurs, when Windows chrashed. It is a quite normal > thing, but after a cold boot , win cames up with the Message, the > 386spart.par is defect. Ok I erased it, and build a new one. But every > time I started up windows, the same message appeared. After a few hours > of work, I realized that my .com files were longer as the should be ! > Also the attributes of the infected files were changed. > > Every .com file i once started had 7679 bytes more than before the start. > The most COM Files wouldn`t work afterwards. I thought about an Virus, > and booted the PC with a Floppy, to let a scanner do its work. > > But after I Booted from Floppy disk, there was no Hard disk anymore. > I decided to save my datas from the disk an rebuild the Disk completly. > So I after the backup I booted from a clean disk, run fdisk (/mbr first) > and formatet the Partitions. After I had almost everything new installed > on the PC the same things happend again. Maybe I copyed an infected file > back on the system, but I thought I deleted every file, that could > distribute an virus. > > This time I tryed to get rid of the Problem by deleting the infected > files, rebuild the partions, delete the System from the disk and restore > everything from clean disks. > > But it doesent work. The things occur again, but no viruses were found! This looks like a virus doing indeed. If you wish we can rapidly analyze it's characteristics and suggest how to handle the problem. Just zip a few infected files (those that are longer than they were originally) and attach to e-mail to my address. In the meantime, here is how to rapidly handle the problem: Download InVircible from: ftp.netzcomp.com/private/netz/invir-en.zip >From a clean boot, install InVircible to the affected drive. Identify an infected file (increased in size), start IVX , the statistical correlator of InVircible and use the infected file as the sample to which to correlate. IVX will identify all the files that are already infected. Read the on-line documentation (run IVX /?) to learn how to use IVX effectively. It could be worth running IVTEST after having installed IV and booted from the infected drive. There is a chance that it will capture the virus and create a VIRUSAM.PLE. If it does, then copy the sample to the IV floppy. It could be handy in searching the origin of the virus on your floppies, server, or wherever. Replace the files identified by IVX from backup and scan once more (with IVX) to be sure you didn't reintroduce an infected file. I suppose you didn't have IV installed before as if you did, then you could restore your files right away and use IVX for just finding the culprit that introduced the infection to your computer. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Wed, 05 Jun 1996 09:33:08 -0500 (CDT) From: Otis Perry Subject: Thanks for your help (was: Re: Strange file Z!Z!Z!Z!.Z!Z) (PC) X-Digest: Volume 9 : Issue 90 I want to thank everyone from the list who gave me suggestions on this file. Unfortunately nothing worked on it, and I had to format the hard drive to get rid of it. In case you missed the original message, the above named file was in the template subdirectory of the Winword directory. It was 2048 bytes in size and had an edit date of 12/28/96. The read only attribute was set and could not be removed. I found it when, Word for Windows began to not be able to save files. Any command, such as copy, delete, rename, move etc..., resulted in the error message file not found. It looks as though the file could be seen by the computer when the dir command was given, but could not be seen by the computer when a command was directed at it. I even tried XERASE, a program that is supposed to be able to erase any file. Nothing worked. I deleted and reinstalled Word for Windows. When the newly installed version began to have problems saving files I decided to format the hard drive to get rid of it. If anyone else every encounters a file like this maybe they will have better luck than I did. Thanks. Perry Otis Chief, Automated Systems Section Air University Library ********************************************** Opinions expressed here are my own ********************************************** ------------------------------ Date: Wed, 05 Jun 1996 18:44:59 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Volume Label Virus (PC) X-Digest: Volume 9 : Issue 90 Mjflan writes: >One of our (Fortune 100) manufacturing plants in Houston has encountered a >so-called Label Virus that places a letter "A" in the volume label of a >hard disk or floppy. Dr. Alan Solomon says it is not a virus but rather a >case of Windows 95 using long filenames on a disk that has been reverted >back to Win 3.1 or 3.11. Does anyone know anything about this problem? >It supposedly gives a "Sector not found" message. I did find one >paragraph (in Russian) out on the 'Net, but I'd appreciate any feedback. Dr. Solomon is correct. Please read the Windows 95 section of my paper on what is NOT a virus. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 05 Jun 1996 22:09:11 +0300 From: "Mikko H. Hypponen" Subject: Re: F-Macro (PC) X-Digest: Volume 9 : Issue 90 Michael Kessler (mkessler@ceres.SFSU.EDU) wrote: > I just downloaded the latest version of F-Prot which contains the > F-Macro program that eliminates Word macro viruses. I have a problem > with it: When I try to scan a disk, it will freeze on one file or > another Please get the latest release from our ftp site: ftp://ftp.europe.datafellows.com/pub/f-prot/tools F-MACRO has already been updated several times since the version 1.08 was released with F-PROT 2.23 - for example, it now detects and disinfects the WordMacro/Date virus which is in the wild in Italy and can generate a report file. Newer versions also correct bugs which caused F-MACRO to hang when it encountered DOC files which were internally corrupted in a specific way. George Wenzel (gwenzel@gpu.srv.ualberta.ca) wrote on the same subject: > you might want to contact frisk@complex.is to see if he can help. Please direct any queries on F-MACRO to Data Fellows' support at F-PROT-Support@datafellows.com. F-MACRO is developed here. In any case, support issues on the shareware version of F-PROT should not be sent personally to Fridrik Skulason; use the support address f-prot@complex.is instead (and you'll probably get an answer sooner). - - Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com Computer virus information available via web: http://www.DataFellows.com/ Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599 ------------------------------ Date: Wed, 05 Jun 1996 14:05 +0000 (GMT) From: CLAYTON E RUTH Subject: Re: F-Macro (PC) X-Digest: Volume 9 : Issue 90 Michael Kessler wrote: >I just downloaded the latest version of F-Prot which contains the >F-Macro program that eliminates Word macro viruses. I have a problem >with it: When I try to scan a disk, it will freeze on one file or >another, and then the station must be rebooted. If I eliminate the >file it freezes on, it will find another. The problem is that I >would like to use it as an occasional automatic scanner on networked >stations, and I would not like to receive puzzled and angry phone calls >about frozen stations. Does anyone else have similar problems? Any >solutions? Thanks. I had the same problem when I used the /COMPRESS option. Since discontinuing use of that option I haven't seen it hang again. I use /DISINF /AUTO to get rid of the unwanted macros; if the document is subsequently opened and re-saved in Word, Word takes care of the compression for you. That's my work-around for now, but I'll be glad when the bug is fixed. Clay Ruth PC Configuration Manager / Senior Lead Systems Software Analyst Sargent & Lundy, L.L.C., Chicago, IL http://www.slchicago.com Clayton.E.Ruth@SLChicago.Infonet.com ------------------------------ Date: Wed, 05 Jun 1996 19:00:59 +0000 (GMT) From: Iolo Davidson Subject: virus prompt for Master Key? (PC) X-Digest: Volume 9 : Issue 90 In article <0017.01I5KH2RENKGUBAT4D@csc.canterbury.ac.nz> falstaff@netcom.com "anthony m. vervoort" writes: > I am having a problem with one of my systems, and since I can not find > anything else that might be causing it, I thought I'd ask and see if it > was a known virus. > > The problem is that when the machine is turned on, or rebooted after being > on for a while, after going through the normal video bios, CMOS check, and > SCSI controller initialization, at the point when it would normally say > "Starting MS-DOS..." the screen clears and the prompt "Master Key: " > appears in the upper left hand corner of the screen. The other thing that might be causing this is an access control package. I don't recognise the prompt as belonging to a particular package, but it certainly appears at the point that the boot-up protection feature for such a package would normally ask for a password. > No input is displayed when I try to type something, Not suspicious in itself. Feedback at such times is often considered deleterious to security. Some systems don't even show a prompt for the password. > and I have not found any key to satisfy it. Well, you wouldn't, unless you guessed the password. > I have tried using F8 and the shift keys to bypass > sourcing the config.sys and autoexec.bat, and neither works Wouldn't do. > Booting from a floppy allows it to boot normally to the A: > drive, but will not allow me to access the hard drives Any good access control package will do this, some can actually stop you booting from a floppy! > If this is a known virus, suggestions on how to remove it and salvage the > data on the drive would be most appreciated. If not, any suggestions on > how to make this Master Key prompt go away will do, as I have exhausted my > own. Investigate what software others have installed lately. > I think I can restore the system by repartitioning and reformatting > the hard drive, but I'd like to save the data on it if possible. With care. Some access control packages also encrypt files. You are unlikely to get the data back if that is the case, and you brute force your way in. - - THE CHICK FELT HIS CHIN AND HE WED FLEW THE COOP LET OUT A WHOOP Burma-Shave ------------------------------ Date: Wed, 05 Jun 1996 01:05:45 +0000 (GMT) From: Harry Healer Subject: Re: Hard disk partition disappeared (PC) X-Digest: Volume 9 : Issue 90 On 4 Jun 1996 12:55:10 -0000, Vincent Tumminello wrote: >Last weeek all of a sudden my computer hung. Had to boot from floppy. >Got in touch with Gateway 2000. Ran fdisk as suggested and there was no >hard disk partition on my c:drive. They said it had to be a virus. Ran >both Mcafee and NAV and no viruses were found. Re formatted my hard disk >and up to the present, all is well. Why didn't Mcafee or Norton find a >virus? Was it because I reformatted my hard disk?? I had a similar experience a few days ago, after turning on the computer, it wouldn't boot on the hard disk. After some research, i found out that a file was missing or destroyed, i think it was called VFAT. I ran virus scanners, but didn't find anything. I had to make a new partition table, and format the disk. Do anybody have any idea what happened ??? Ken (Harry Healer) Home page http://www.win.net/mia/ks/ alt.teens FAQ http://www.win.net/mia/ks/teens ------------------------------ Date: Wed, 05 Jun 1996 22:24:16 -0400 From: JackClarks Subject: Re: Volume Label Virus (PC) X-Digest: Volume 9 : Issue 90 >>>One of our (Fortune 100) manufacturing plants in Houston has encountered a so-called Label Virus that places a letter "A" in the volume label of a hard disk or floppy. Dr. Alan Solomon says it is not a virus but rather a case of Windows 95 using long filenames on a disk that has been reverted back to Win 3.1 or 3.11. Does anyone know anything about this problem? It supposedly gives a "Sector not found" message. I did find one paragraph (in Russian) out on the 'Net, but I'd appreciate any feedback. <<< Its not a Virus just Windows 95, heres a quick way to prove the point, on a Windows 95 machine create a file that has a long file name on a Dos 6.22 or earlier diskette, ensure that the diskette does not contain a label, now take a look at the diskette in a pre-95 machine, da da, theres the Volume Label. Here's a quick explanation of why; Windows 95 uses volume labels in its mechanism for creating long filenames, one for each file created, now, if you create a LFN on a diskette, or hard drive for that matter that does not contain a volume Label the one created by Win 95 is picked by Dos and used as 'THE' volume label. Hope this helps Jack Clark cal Specialist E:mail Jack.Clark@uk.drsolomon.com CIS: 74777,2333 AOL: JackClarks US tel (617) 273 7400 UK tel +44 1296 318700 Http://www.drsolomon.com CIS: GO DRSOLOMON AOL: VIRUS ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 90] *****************************************