VIRUS-L Digest Saturday, 22 Jun 1996 Volume 9 : Issue 99 Today's Topics: Moderator on vacation (ADMIN) Re: Scanning incoming mail Re: Viruses, encryption and scanners (was: Re: Scanning incoming mail) AV guys misnaming viruses Re: Word Macro Virus on a large LAN Re: Hype, Fiction or Reality Re: Scanning incoming mail Re: Word Macro Virus on a large LAN Virus in plain text files (was Re: Scanning incoming mail) Re: Scanning incoming mail Re: VDOC macro virus? Re: Word Macro Virus on a large LAN Re: Viruses, encryption and scanners (was: Re: Scanning incoming mail) Re: Hype, Fiction or Reality Re: Viruses, encryption and scanners (was: Re: Scanning incoming mail) Re: Anti-Virus program for Solaris (UNIX) Re: Virus playing music on NTAS??? (NT) Re: OS/2 antivirus software (OS/2) Re: Virus detection in boot manager (OS/2) Re: Files on hard drive = 600Mb - used = 800Mb (WIN95) Re: DDE problem while installing Dr. Solomon's AVTK (WIN95) Wandering mouse cursor--virus? (WIN95) Re: How good is McAfee's V-Shield? (WIN95) Help disinfecting Tentacle (WIN95) Windows Virus (WIN) Re: Getting a unique BIOS ID (PC) Help - ANTICMOS A virus (PC) Re: Anyone heard of "VCL_Messiah_ Virus" (PC) Untouchable (PC) re: Getting a unique BIOS ID (PC) Re: Program execution problems--virus?? (PC) Re: Boot-437 Help (PC) Sporadic hangs\lock ups--virus ?!? ... (PC) Re: Getting a unique BIOS ID (PC) Re: StealthC and StealthB (PC) Re: IVP variant??? (PC) Generic detection (PC) Help: The bad sectors in my NEC HD are growing! (PC) Re: Anyone heard of "VCL_Messiah_ Virus" (PC) Re: Help disinfecting HLLO.RUW (PC) Re: New virus?? Please help... (PC) Re: HELP!? virus found (PC) Re: Hard disk partition disappeared (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sat, 22 Jun 1996 13:20:07 +1200 (NZT) From: Nick FitzGerald Subject: Moderator on vacation (ADMIN) X-Digest: Volume 9 : Issue 99 I have been on vacation since last Wedenesday and won't be back at work until Monday-week. I will be trying to keep Virus-L/comp.virus postings as up-to-date as I can, but don't have time to deal with "administrative" issues, so if you've written asking me a question don't worry that I haven't answered yet... My apologies for the delays in getting this digest posted--I've been having a lot of comms problems with my dial-up proviuder, but I think the worst of them are now sorted. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83 ------------------------------ Date: Tue, 18 Jun 1996 12:12 -0400 (EDT) From: Michael Head Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 99 In VIRUS-L Digest V9 #98: > : >Tell me how is it different from evesdroping on your employees > : >conversations in order to stop violent crimes? > : >Both constitute gross abuse of privacy. Convince me otherwise. > : > : An anti-virus program does not 'eavesdrop'. It simply looks for viral > : code. E-mail is not private, and the sysadmin (and any sysadmin on the Most anti-viral programs would appear to scan executable code for strings which are contained in a "signature file" . Given that many anti-viral programs can be asked to extend the search to data files and that signatures can be dynamical added on site , the question which comes to mind is ,' What safe guards are there against someone reverse engineering the dynamic addition of signatures so that he/she can add strings of interest and have files flagged as "suspicious" ' . Perhaps we should pause before proceeding to organization-wide scanning of files ,incoming/outgoing mail,etc. and ask the A-V providers to assure us that their products can indeed only look for virus code . Fridrik, Zvi, Graham ? Michael H. --> ccmh@mvs.mcgill.ca ------------------------------ Date: Tue, 18 Jun 1996 16:51 +0000 From: Graham Cluley Subject: Re: Viruses, encryption and scanners (was: Re: Scanning incoming mail) X-Digest: Volume 9 : Issue 99 In-Reply-To: <01I62PHSV7FWWHXNLX@csc.canterbury.ac.nz> Andrew Wing writes: > This raises the spectre of a macro virus "hiding" from Mimesweeper > type scanners. While some scanners can look inside zip archives, how > many can look inside PGPed files? None I should think! > Perhaps decryption programs should have scanner addons. How about > future versions of F-Prot/etc that can read PGP key files in order to > 'get inside' encrypted files? Installing an on-access scanner will detect the virus when you access it after it has been de-PGP'd. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Tue, 18 Jun 1996 16:08:36 -0700 From: Simon Taplin <10896@stalban.pta.school.za> Subject: AV guys misnaming viruses X-Digest: Volume 9 : Issue 99 Why do AV people misname viruses if it is a NEW virus, not a new strain I use the Red Spider virus as an example, McAfee calls it that but every body else calls it reverse. The same with the first Win95 virus Boza Why??? Please post replies to my e-mail address as well. 10896@stalban.pta.school.za ------------------------------ Date: Tue, 18 Jun 1996 19:12:25 +0100 From: "B.MacDonald" Subject: Re: Word Macro Virus on a large LAN X-Digest: Volume 9 : Issue 99 In article <0002.01I62PHSV7FWWHXNLX@csc.canterbury.ac.nz>, Totally Lost writes >Your Corp Bio at http://www.drsolomon.com/company/virusteam.html shows >that you should have the experience to understand the technical issues >and S&S's A-V product placement as you represent your employer in this >forum. I think you have been chanting your customer script song so long >that that you have forgotten your own technical roots and the realities of >the industry that pays your paycheck - by praying on the ignorance of your >customers. > >The truth is that your own product can not stop new viruses. >The truth is that your own product is useless, in your own words. >The truth is that your own selfserving recomendation (below) is that >applications developers not be devoted to security so that you can >continue to stuff your pockets at the expense of customers that buy a >false sense of security in your products. What a pile of conceited, self-serving, vitriolic ballocks! I'm sorry, but I can't let the Bass Bravado go unanswered and perhaps it's better if someone other than Graham does it. Graham was trying to put forward a reasoned and balanced objective view, rather than the hard sell that Bass alleges. Whenever, someone representing a commercial firm attempts to do that in a discussion forum I would hope that it would be applauded and NOT turned into a basis for a professional and personal attack. Meanwhile back to the point at hand, this is all really silliness. Surely none of the points taken are mutually exclusive... the point of have computers is NOT strictly for the sake of maintaining an impregnable AV bastion (we wouldn't turn them on if it were). We buy computers so we can run applications. We seek external data to enhance those functions and applications. Whenever we do so, we run at least some risk of infection. The obvious answer is to combine all the points made in this thread to date: choose the best software with the best functionality you can - but bear in mind any security concerns you might have when you do so; employ the best AV software you can find and couple it with common sense security practices; and, as a consumer, encourage software houses to make their products as virus-resistant as possible. How much weight you place on each requirement is a personal decision, as is the resulting risk. Really, isn't that what Graham was saying in a much more concise way? - - B.MacDonald, Northwood, Middlesex, UK E-mail burns@nthwd.demon.co.uk or burns@dircon.co.uk ------------------------------ Date: Tue, 18 Jun 1996 15:25:28 -0400 From: DarStec Subject: Re: Hype, Fiction or Reality X-Digest: Volume 9 : Issue 99 In article <0005.01I5YERMDOPEWHXVWG@csc.canterbury.ac.nz>, JMccorm245 writes: >I have been working in the computer industry for about 5 years now. Since >I've started, I've worked for Fortune 500 companies & now work as a >consultant. In this time I have come across numerous virii. Usually >Stealth, Stoned, Anti-EXE, Monkey, NYB & a couple of others that I don't >remember. Just because you haven't come across alot, doesn't mean that it >doesn't exist on a large scale. I have yet to meet someone that I can say >"He has AIDS." Yet that still exists, too. I would like to second Jesse's statement. Did anyone count the virus attacks in any of my client's computers? One had 35 different virii, in one computer. These were not false positives either, as they had been cleaned. And I am sure there are a lot of other computer consultants, administrators etc. that reported their experiences to any of the AV people. Later, DarStec ------------------------------ Date: Tue, 18 Jun 1996 14:54:00 -0700 From: Don.Edwards@ci.seattle.wa.us Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 99 B.MacDonald typed, referring to the "Good Times" "virus": > It seems that every 3-4 months we go through another bought of the >"News" virus, supposedly capable of destroying your CPU and > rendering your first-born sterile. Perhaps we should classify this as a > virus since it DOES disrupt the bandwidth for weeks on end with > new-users nervously demanding that it be eradicated and wondering if > they've been infected. > >If disruption is the criteria, then this one is pretty effective. > >[Moderator's note: However, "disruption" (like "damage") isn't a >criterion in any widely respected definition of what a computer virus >is...] It's a virus, alright. But it's a meme virus that infects human brains, not a computer virus. ------------------------------ Date: Tue, 18 Jun 1996 18:08:55 +0000 (GMT) From: Iolo Davidson Subject: Re: Word Macro Virus on a large LAN X-Digest: Volume 9 : Issue 99 In article <0002.01I62PHSV7FWWHXNLX@csc.canterbury.ac.nz> idletime@netcom.com "Totally Lost" writes: > The truth is that your own product can not stop new viruses. [clip] > I would not be suprised if there are those in the A-V industry that > regularly release new viruses for competitive advantage when sales get > a little slow. Interesting doublethink. The very people who you claim cannot deal with new viruses are those who go about releasing them? Seems counterproductive doesn't it? > So there are some of you that think I'm just a bunch of hot air? Show of hands? (Mine is in the air, for those who can't see.) - - THE CHICK FELT HIS CHIN AND HE WED FLEW THE COOP LET OUT A WHOOP Burma-Shave ------------------------------ Date: Wed, 19 Jun 1996 02:18:36 +0200 From: Gerard Mannig Subject: Virus in plain text files (was Re: Scanning incoming mail) X-Digest: Volume 9 : Issue 99 >>X-Digest: Volume 9 : Issue 97 >. Plain text cannot be a carrier for viruses. Hmm...YES, they are As recently as last Sunday, I was sent some samples of viruses including a copy tailored as a plain ASCII file. I mean of course an auto-executable ASCII file This utility, basically written for noble purposes, can obviously be circumvent to hide even very known/ITW viruses within a plain ASCII text file. This utility is intented to offer to users a clone of UU/XXENCODing system that requires *no* utility to decode such binaries files sent by electronic mailing systems Regards, - ---------------------------------------------------------------- Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm Member of R . E . C . I . F data +33 1 3415-4959 Voice machine +33 1 3072-9443 =-=-=- I do NOT speak for RECIF unless otherwise specified -=-=- ------------------------------ Date: Wed, 19 Jun 1996 02:43:40 +0000 (GMT) From: Gene Wirchenko Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 99 George Wenzel wrote: >In article <0004.01I5YERMDOPEWHXVWG@csc.canterbury.ac.nz>, "B.MacDonald" > wrote: > >>BTW, other than attached executables,etc what's the fuss about viruses >>in bog standard email? I haven't heard of anyone coming up with a virus >>that uses straight email as an infection medium yet. > >Well, you're likely to hear about one, since there is a fairly big hoax >about that, but none exists, nor can one exist. Plain text cannot be a >carrier for viruses. The EICAR test string is pure ASCII, no? I think it possible to write a virus that consists only of displayable ASCII. There is the problem of getting it executed, but you did only say carrier. Sincerely, Gene Wirchenko C Pronunciation Guide: y=x++; "wye equals ex plus plus semicolon" x=x++; "ex equals ex doublecross semicolon" ------------------------------ Date: Wed, 19 Jun 1996 13:06:41 +0000 From: Szappanos Gabor Subject: Re: VDOC macro virus? X-Digest: Volume 9 : Issue 99 Johan van Staden wrote: >Here in South Afrika is a new virus called vdoc. It only attack >MS-Word macro documents end disable save options etc..... VDOC is a macro virus scanner by EliaShim and not a virus. >Any-one knows this one or any info - help !! It could be any known macro virus. Since they are document templates some of the save options (the save directory in Word 6.0 or the document format in Word 7.0) are disabled by Word. It is most probably Concept which is reported to be in the wild in South Africa, but you should check it with a good antivirus software. Szapi ------------------------------ Date: Wed, 19 Jun 1996 04:41:13 +0000 (GMT) From: George Wenzel Subject: Re: Word Macro Virus on a large LAN X-Digest: Volume 9 : Issue 99 In article <0002.01I62PHSV7FWWHXNLX@csc.canterbury.ac.nz>, Totally Lost wrote: >Gee ... from the mouth of a leading A-V salesman ... glory be!! > > "is useless as an anti-virus if it can't stop viruses" I don't think that Mr. Cluley is a salesman for S&S. His signature identifies him as a "Senior Technology Consultant". >The truth is that your own product can not stop new viruses. This is true for all scanners, but that's why they are supplemented with generic programs. Dr. Solomon's product includes an integrity checker called ViVerify, which will bring to light any viruses that the scanner may miss. New viruses are why updates to virus scanners come out about every month or so. >The truth is that your own product is useless, in your own words. Dr. Solomon's product can indeed stop viruses (I've tested it personally, as have Virus Bulletin, U of Tampere, U of Hamburg, and others), so your above statement is false. >The truth is that your own selfserving recomendation (below) is that >applications developers not be devoted to security so that you can >continue to stuff your pockets at the expense of customers that buy a >false sense of security in your products. Dr. Solomon's product gives me a sense of security, but I know that it isn't false. It's stopped several viruses from infecting my system. >Your web page is a slick piece of marketing, and bends over backwards to >NEVER claim to stop new viruses - which would be a flagrant violation of >truth in advertising laws in the United States. Really? The following are quotes from the web site: "Dr Solomon's Anti Virus Toolkit for Windows 95 provides effective protection against virus infection." and "Detects, identifies and safely repairs viruses in files, partitions and boot sectors. The Generic Decryption Engine (GDE) can find and repair even the most complex encrypted and polymorphic viruses." It certainly seems that they're claiming that the program stops viruses. >The Dr. Soloman product is a useless pile of fatally flawed complexity >which has the single goal of impressing customers out of their money. I don't think so. I've tested it personally, and several respected testing houses have tested it, and found that it effectively detects and removes viruses. >(As is nearly every other such product which claim increased protection >against new or re-infection.) Detection of known viruses is one thing, >the shareware/freeware tools do that job just fine, but to go past that >and build a complex unsupportable detection infrastructure and sell it >for top dollar is misleading at best -- buyer beware? I wouldn't say so. Sure, programs like F-Prot are fine, but they aren't available for all platforms, and they don't have support when necessary. If there's a problem with a commercial product, you can phone them and get support. If you catch a virus that the scanner misses but the integrity checker catches, you can send a commercial vendor a sample. They'll usually send you a fix within a day or so. >I would not be suprised if there are those in the A-V industry that >regularly release new viruses for competitive advantage when sales get >a little slow. Sounds like unsupported speculation to me. Can you provide any proof to your claim? >What a great scam ... get Microsoft to abdicate >responsibility to you guys ... and then sell a product which is fatally >flawed from ever doing what the customer expects. I honestly don't have a clue what you're talking about. Dr. Solomon's product is one of the best anti-virus products available. Major testing houses agree with that. Why do you say that the program is flawed? >So there are some of you that think I'm just a bunch of hot air? Yes. >Then I propose the following test in three monthly rounds, based upon >the then released current A-V products for MSDOS and Windows 95: Yes, if you take a current AV product, and test it against a brand new virus, it'll have some detection problems. Heuristics may catch the virus, but it's not for sure. That's a known fault in scanners, and it's an admitted one. It's also why commercial AV packages include more than just a scanner. Regards, George Wenzel ------------------------------ Date: Wed, 19 Jun 1996 04:24:07 +0000 (GMT) From: George Wenzel Subject: Re: Viruses, encryption and scanners (was: Re: Scanning incoming mail) X-Digest: Volume 9 : Issue 99 In article <0003.01I62PHSV7FWWHXNLX@csc.canterbury.ac.nz>, Andrew Wing wrote: > This raises the spectre of a macro virus "hiding" from Mimesweeper >type scanners. While some scanners can look inside zip archives, how >many can look inside PGPed files? None, and it's unlikely that one will ever be able to. Of course, somebody receiving a virus that's PGP encrypted will have to decode the file in order to infect a system. Why would you need to use PGP to bring a virus in if you know you're getting it? You could just walk in with a disk. > Perhaps decryption programs should have scanner addons. How about >future versions of F-Prot/etc that can read PGP key files in order to 'get >inside' encrypted files? I would rather not have this happen. Sure, it's nice on your own system, but would you like to give out your secret key to an administrator on a network? I don't think so. Regards, George Wenzel ------------------------------ Date: Wed, 19 Jun 1996 17:49:43 -0500 From: Paul Malone Subject: Re: Hype, Fiction or Reality X-Digest: Volume 9 : Issue 99 > In spite of my personal experiences I realize that how I use my PC is > not how everyone uses their PC and I fully admit that I may be > understating the presence and impact of viruses. On the other hand I > find it hard to believe that the world is so overtaken with computer > viruses that companies should feel the need to move beyond common > sense policies toward extreme measures to combat a foe largely > delivered up by the media. I, too, was in a simular situation. The point of the matter was that the company was in a business where they could tolerate *no* down time whatsoever. It was not that there were so many virus programs out there infecting networks, it was just that the nature of their business (read: financial concerns) were such that they needed to ensure as much as possible theat they were not the ones that DID get hit. Then again, there are always those folks out there that will believe whatever McAfee says. Hope that shed some light on the situation (perspective-wise). ------------------------------ Date: Wed, 19 Jun 1996 20:39:00 -0500 (EST) From: keith@command-bbs.com Subject: Re: Viruses, encryption and scanners (was: Re: Scanning incoming mail) X-Digest: Volume 9 : Issue 99 > This raises the spectre of a macro virus "hiding" from Mimesweeper >type scanners. While some scanners can look inside zip archives, how >many can look inside PGPed files? > > Perhaps decryption programs should have scanner addons. How about >future versions of F-Prot/etc that can read PGP key files in order to 'get >inside' encrypted files? Hmmm... I see a few problems right away. PGP uses a "like PKZIP" compression utility to compress the contects of a message for file *before* encryption. So one would need to decrypt *and* decompress. What if the user used another compression program *before* encrpyting? Hmmm... now test for encryption (there is so many types DES, TRIPLE-DES, PGP, plus more...) and test for compression, then if the file is runtime compressed, test for runtime compression, lastly test for a viruses. Wouldn't it be better to use a VxD that monitored all executables and Macro's that are written to the disk? No extra features would be needed. Keith =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Brunswick, Ohio 44212 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command Phone: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Tue, 18 Jun 1996 20:43:52 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Anti-Virus program for Solaris (UNIX) X-Digest: Volume 9 : Issue 99 Tannil Lam writes: >Please advice if there are any anti-virus programs for SUN SPARC Solaris >2.X and where can I ftp download them for usgae. McAfee has a Solaris native scanner for Sun Sparcs which are being used as servers for DOS files which may contain DOS viruses. Please see http://www.mcafee.com Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 18 Jun 1996 18:09:58 -0500 From: STEVEN W MAY Subject: Re: Virus playing music on NTAS??? (NT) X-Digest: Volume 9 : Issue 99 <01I617U99GZ6WHY5DF@csc.canterbury.ac.nz>writes: > We were just sitting here in the master console room > for MTU SBEA and we could hear a faint noise, so all of > us stopped talking the all CD's that were playing > and we could hear this song. we could not for the life > of us figure out where it was coming from, then all > of a sudden we noticed it was coming from one of our > Windows NT servers. > > I know that there used to be some virii that would play > songs from the PC speaker, but i dont remember the names > we ran a McAfee ntscan (with 9605) and it didnt find > anything. is this a new occurance?? Wait a minute here... I thought that Windows NT would not allow any software to directly control a piece of hardware. I have been searching all over for a driver for the PC speaker under Windows NT... No such animal anywhere... What gives??? 8-) Anyone got an answer ???? - - Steve May These views and opinions are strictly my own, they do not represent those of the Navy or the US Government in any way. ------------------------------ Date: Tue, 18 Jun 1996 09:57:37 -0400 (EDT) From: "David M. Chess" Subject: Re: OS/2 antivirus software (OS/2) X-Digest: Volume 9 : Issue 99 Yes, IBM does in fact have anti-virus software! We're perhaps not as visible on the Net as some others (recently at least; I've been busy!), but on the Web, see http://www.brs.ibm.com/ibmav.html and http://www.research.ibm.com/massive/ We plan to have an on-Web newsletter soon, in addition to the existing stuff. I won't plug too much, but IBMAV (for DOS, OS/2, Windows, Windows 95, Windows NT, and Novell Netware) tends to do pretty well in reviews. And we think it's pretty good! *8) - -- - David M. Chess | IBM AntiVirus Products and Services High Integrity Computing Lab | U.S. Retail and Site Licenses: IBM Watson Research | 800-742-2493 ------------------------------ Date: Wed, 19 Jun 1996 18:13:20 +0300 From: Zvi Netiv Subject: Re: Virus detection in boot manager (OS/2) X-Digest: Volume 9 : Issue 99 At 12:39 PM 19/6/96 -0700, Simon Taplin wrote: > Do you have a South African distributor for you anti=virus prodcuts No, as the volume didn't justify one, yet. South African users are served by NetZ's international agents in the UK and the US, and by NetZ Computing. On-line support is available worldwide through the Internet, Compuserve and by local distributors, where there is one. If a single copy is needed then you could purchase on the Internet (there are five sites with on-line ordering) or through Compuserve. Site or group license can be purchased directly from NetZ Computing. Best regards, Zvi Netiv, Managing Director - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Wed, 19 Jun 1996 15:00:19 -0500 From: John Hall Subject: Re: Files on hard drive = 600Mb - used = 800Mb (WIN95) X-Digest: Volume 9 : Issue 99 George Wenzel wrote: > In article <0015.01I617U99GZ6WHY5DF@csc.canterbury.ac.nz>, James MacDonald > wrote: > >F-PROT 2.22 reports that in files, there is 600Mb on my hard drive. > >Why, then, when I look in "My Computer" under Windows 95 do I see that > >approx. 100Mb is free indicating presence of 800Mb of data? > > If you're using the Recycle bin, try emptying it. If you have the Norton > Protection Recycle bin, definitely empty that. It has a tendency of > screwing Win95 up so it shows inaccurate numbers for the drive size or the > amount of data. Another possible cause of the discrepancy is that one may be reporting actual file size and the other the amount of disk space. Depending on the cluster size and the type of files stored, this can vary quite a bit. >500M has a cluster size of 32K (?) so even a 1 byte file takes 32K on disk. - - John Hall (jhall@indy.net) KLF Business Communications (http://www.klf-inc.com/klf) Opinions are guaranteed to be mine but not necessarily correct. ------------------------------ Date: Tue, 18 Jun 1996 16:51 +0000 From: Graham Cluley Subject: Re: DDE problem while installing Dr. Solomon's AVTK (WIN95) X-Digest: Volume 9 : Issue 99 In-Reply-To: <01I62PHSV7FWWHXNLX@csc.canterbury.ac.nz> Ian Sealy writes: > I wonder whether anyone can help me with a problem I'm having with Dr. > Solomon's Antivirus Toolkit for Windows 95. I've tried to install Dr. > Solomon's Antivirus Toolkit (version 7.57 for Windows 95) on a Toshiba > Sat 100CS laptop running Windows 95, but near the end of setup > (just after I had agreed to install the scheduler) I got the > following error: > > Setup Message > > Unable to start DDE communication with Program Manager. [snip] I haven't heard of this problem before, maybe our regular UK technical support people (support@uk.drsolomon.com, tel: 01296 318700) may be able to help more. But it sounds like the icons weren't created for some reason. You could create the icons manually for the time being. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Wed, 19 Jun 1996 02:39:28 +0000 (GMT) From: Hans von Lieven Subject: Wandering mouse cursor--virus? (WIN95) X-Digest: Volume 9 : Issue 99 G'day from Australia everybody. Can someone please tell me what I've run into. My system: PC Clone, Pentium 90, 16 meg, 2 Hard drives, Soundblaster 16 bit, Creative CD, Trident video card 1 meg, Scanner, V34 28.8 modem and HP LaserJet 4L running Windows 95. I'm pretty active on the net and download things frequently. Since yesterday my curser keeps wandering all over the screen when not in use, or when the finger is on the mouse button for any length of time. I have several recent anti-virus programmes, but they all give my system a clean bill of health. Apart from this the system appears to work normally. I've checked all my connections but they seem fine, there are no interrupt conflicts. Help someone please, this is driving me nuts. Hans von Lieven, Sydney. PS. Please feel free to E=mail me. Thanks. ------------------------------ Date: Wed, 19 Jun 1996 12:40:55 -0700 From: Simon Taplin <10896@stalba.pta.school.za> Subject: Re: How good is McAfee's V-Shield? (WIN95) X-Digest: Volume 9 : Issue 99 Kevin wrote: > I recently bought a new Pentium system, and purchased the Win95 McAfee > VirusScan. It has what it calls V-Shield" that stays active whenever I > have the computer on, unless I physically disable it. > > Is there any way that I can get a virus while I have this level of > protection? I am concerned because I like to download shareware, etc., > from the Net and I want to exercise all necessary precautions. > > Please advise any ways I might contract a virus while running VirusScan, > so I can avoid those activities. You wasted your money, rather get F-Prot as that is much better and it is free for all private people. Cheers Simon Please send flames, replies, etc to 10896@stalban.pta.school.za ------------------------------ Date: Wed, 19 Jun 1996 14:25:41 +0000 (GMT) From: Gary Farr Subject: Help disinfecting Tentacle (WIN95) X-Digest: Volume 9 : Issue 99 I was in the process of installing a program this morning. There was no install.exe file in the first zip file so I pressed the inf file and hit install. I had VShield running at the time of install. Was this a mistake? Does Vshield need to be turned off during an installation? Could this give me false warnings? Immediately after this I got a warning from McAfee that the tentacle virus was found. I selected clean but it wouldn't clean the file. I booted to a clean floppy and ran the DOS version of McAffee by typing: SCAN /ADL /ALL /CLEAN. I am using the June definitions. It found 13 infected files in the c:\windows directory and cleaned them. It would seem to me that even though I had VShhield running during the install that there were truly viruses in these files. Is this safe to assume? I then booted back into windows and it came up fine. I then ran Virus Scan again (95 Version) and it found another infected file: QPINST.EXE. It wouldn't let me move it to my floppy drive so I moved it manually with Norton file manager. I am presently doing another can using McAfee as I type this and just DL FProt 2.23a. I'll install it and run it as well. I just got 2 more files that say they're infected with tentacles. When I press clean it won't sucessfully clean and recommends reinstalling the program. Hopefully I have these on my backup. Anyone run into false alarms with tentacles? How many times should a person do the scan? Until nothing is found? Is there a way to know which file actually initiated the virus so I can remove it from my system? ***************************** Gary Farr garyfarr@nando.net VOICE: 919-467-7187 FAX: 919-467-7216 ***************************** ------------------------------ Date: Wed, 19 Jun 1996 11:23:18 -0700 From: Simon Taplin <10896@stalban.pta.school.za> Subject: Windows Virus (WIN) X-Digest: Volume 9 : Issue 99 How many windows viruses are there. Do they have any chance of surviving in the wild. Cheers Simon ------------------------------ Date: Wed, 19 Jun 1996 23:44:28 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Getting a unique BIOS ID (PC) X-Digest: Volume 9 : Issue 99 sysop@amsoft.com writes: >I realize this is exactly virus-related, but submit it to this group of >people as they seem to be more understanding of things at the BIOS/OS >level then most any other. > >I am looking for A qay to get a unique ID from each and every PC. I >understand that there may be a way to get a serial no. from the BIOS. >Anyone know how? No. And you can't. BIOS does not have a standard to have an ID number. Network cards do though. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 18 Jun 1996 14:50:47 +0000 (GMT) From: "Howard R. Hamilton" Subject: Help - ANTICMOS A virus (PC) X-Digest: Volume 9 : Issue 99 I have a machine (486sx33 DOS 6.22 W4W) that has been infected by the ANTICMOS A virus. McAfee V.2.2.7 recognizes the virus, but is unable to clean it from the hard drive. The hard drive has two physical partitions with 3 logical partitions in the extended physical partition. I would prefer to remove the virus than to have to repartition and reinstall everything. Formatting the infected partition has no effect. Please respond by email to: buz@sfn.saskatoon.sk.ca Thanx in advance BUZ ------------------------------ Date: Tue, 18 Jun 1996 20:41:34 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Anyone heard of "VCL_Messiah_ Virus" (PC) X-Digest: Volume 9 : Issue 99 Rich Gonzalez writes: >Contracted a virus on my machine which McAfee identified as VCL Messiah >Virus. But it also says no remover for this virus. It is an overwriter. It overlays code over your program. >Is there any other software that will remove this virus? Backup software. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 18 Jun 1996 14:40:30 -0800 From: Mark Hartley Subject: Untouchable (PC) X-Digest: Volume 9 : Issue 99 I have heard mention a couple of times (by Bill Lambdin) of a product called Untouchable. It is a commercial product that is not being supported in the U.S. anymore. I use this software as a generic A-V, and a combination of F-Prot and NAV as my scanners. However, I have heard that Untouchable is still sold or supported in other countries. If this is so, could someone give me an address, website, or some way to obtain information or an update to Untouchable's scanner. Thank you. Mark Hartley ------------------------------ Date: Tue, 18 Jun 1996 15:10:00 -0700 From: Don.Edwards@ci.seattle.wa.us Subject: re: Getting a unique BIOS ID (PC) X-Digest: Volume 9 : Issue 99 Sysop@amsoft.com types: > I realize this is exactly virus-related, but submit it to this group of >people as they seem to be more understanding of things at the BIOS/OS >level then most any other. > >I am looking for A qay to get a unique ID from each and every PC. I >understand that there may be a way to get a serial no. from the BIOS. >Anyone know how? Thanks for the compliment, but I can think of some groups of people likely to know more about BIOSes than us. intel, for example. Intel produces a piece of software (LanDesk Manager) which, among other things, can be used to automatically maintain an inventory of the PCs on your network. As a unique identifier for a PC, it uses the network card's address (ethernet address on our network). Not something from the BIOS or motherboard. I would take this fact as the next best thing to absolute proof that BIOSes and motherboards in general do not have any unique, machine- readable identification number. - -------------------------------------- Opinions expressed here do not necessarily represent those of the City of Seattle ------------------------------ Date: Tue, 18 Jun 1996 18:18:37 +0000 (GMT) From: Iolo Davidson Subject: Re: Program execution problems--virus?? (PC) X-Digest: Volume 9 : Issue 99 In article <0027.01I62PHSV7FWWHXNLX@csc.canterbury.ac.nz> Don.Edwards@ci.seattle.wa.us writes: > Vernon Chin types: > I am suspicious of certain BIOS-spoofing viruses. I can't recall the > names, but they modify the BIOS settings in any of several ways to force > the system to boot from the hard drive. EXEBUG is one (or rather a family of five or so). > Thus, even a "clean" boot isn't necessarily clean. > > If the computer in question is one where you have to load the BIOS > settings program off floppy, you are in sorry shape and I have no advice. Peter Morley of S&S cleaned EXEBUG off a computer like that, by unplugging the hard drive. Eventually the computer gives up trying to boot from the missing hard drive and tries the floppy, even though it "isn't there". You can then load the CMOS setup disk and change the settings, plug in the hard drivve again, and finally boot clean from a floppy and use AV software to get rid of the virus. > In principle it's possible for a virus to infect a flash bios, but I've > never heard of it happening. There aren't any viruses that do this, yet. There is apparently one that tries to corrupt a flash bios, but it doesn't work (or maybe it only works on a particular computer nobody has tried it on? I think flash reprogramming works differently on all the different makes, and possibly models.) - - THE CHICK FELT HIS CHIN AND HE WED FLEW THE COOP LET OUT A WHOOP Burma-Shave ------------------------------ Date: Tue, 18 Jun 1996 23:38:48 +0000 (GMT) From: Bruce Burrell Subject: Re: Boot-437 Help (PC) X-Digest: Volume 9 : Issue 99 Zvi Netiv (netz@actcom.co.il) wrote: > Zvi Netiv wrote: > > >> I got a Boot-437 virus on my system and I can't remove it with NAV or > >> F-Prot shareware. Can somebody help me ! > > > > Boot clean from a DOS floppy and run from the A:> prompt: C:\DOS\SYS C:. > > This should do it, for all boot infectors as well (such as FORM, Da'Boys > > and others). > > > [Moderator's note: A minimum qualifier on the SYS solution Zvi provides > > is that the clean boot diskette -must- be -exactly- the same DOS version > > as is on your HD ... > > The purpose of running SYS from the C:\DOS directory (or from > C:\WINDOWS\COMMAND if running under Win95) is twofold: > > 1) It assures that you are booted to exactly the same OS version installed > to the disk. If not then you'll get the "Incorrect DOS version" message. > > 2) It also assures that the the boot sector is correct about the partition > that you are about to SYS. In a followup article, ("SYS is not always > safe", issue 95 of Virus-L), S. Widlake explained the risks of > transferring system files when the boot sector's BPB and the actual > partition mismatch. Those are good reasons. One must be sure, however, that SYS (or FDISK, below) aren't infected with some other virus. Hence I'll still advocate the top quality AV product solution. > This is quite often the case with boot sector infectors like Form or > Boot-437. You will ruin your FAT and root directory by SYS'ing, even with > -exactly- the same DOS version as is on your HD. > > By running the SYS command of the HARD DRIVE you are about to SYS, you are > then assuring both. Assuring both *what*? That both the FAT and root will be trashed? ;-) (Sorry; I couldn't resist.) > The same applies to running FDISK/MBR. Although not generally recommended, > still, if you have to run this command (most disinfectors - and NDD - are > doing exactly the equivalent of fdisk/mbr in specific instances, yet I > haven't seen anyone criticizing them because of that). :-) What, Zvi, you don't read everything I post to all newsgroups? I'm hurt. I've written this more than once: "Norton Disk Doctor, while often spectacular in its results, is sometimes spectacular in its failures...." I would hope that disinfectors look at the relocated boot sector, when there is one, to see whether another virus has infected. I *know* F-PROT does this; it reports a circular infection. Depending on how far back the product tries to trace to find an uninfected boot sector (MBR or DBS) and how cautious it is in evaluating the data within that sector, the safety of using the disinfector can be evaluated. It would be difficult for such a program to be -less- safe than SYS or FDISK, assuming competent programming; after all, those DOS programs know absolutely nothing about viruses. > then boot from > A and run C:\DOS\FDISK/MBR. It's quite safe to do so, and in many cases > it is also the only way to restore bootability to your hard drive. No, it's not "quite safe to do so" in general. Most of the time, probably. But as I mentioned above, C:\DOS\FDISK could be infected; unless the infection of the boot sector *just* happened, one might reasonably expect lax security on the infected machine, so the probability of other infections, a priori, is increased. But that's not the worst of it; in the case of One_Half, or of viruses not yet written, it could be a disaster. The lay user doesn't know when it's safe and when it isn't; this decision should be left to an AV expert, or lacking access to same, to a top quality AV product. -BPB ------------------------------ Date: Tue, 18 Jun 1996 20:27:25 -0700 From: Simon Juncal Subject: Sporadic hangs\lock ups--virus ?!? ... (PC) X-Digest: Volume 9 : Issue 99 Ok some preface Info 1)my computer has been exibiting some strange errors for the past few weeks (more on this later) 2)most likly unconected with these errors I get Parity errors every once in a while, due I think to ageing parity checking ram on an old SX486 33 with 4megs of ram. the error always seems to happen off of a warm boot [alt + ctrl + del]I get a message like CMOS memory size mismatch if i continue to boot the computer the system gets halted with a Parity error. 3) the computer up until a week ago was beeing used in a HOT and humid room on the hotter days i would get fatal errors at start up (varyed)but after a few trys it always started(Yes I know dumb to use a computer in a hot env.) Ok so up until a few weeks a go most of the errors seemed semi consistant with running the comp. in a hot room (in the summer), but then I started getting some rather bizzare and unusual errors some times in the middle of the night or in the morning.(and most worrysome _AFTER_ I moved it to my new House (with AC). =) At first in widows, win would just freez up. then when trying to use netscape and a few other app's i would get shelled to dos (sometimes to the prompt some times to a blinking ( _ ) underscore with no prompt I attibuted this to the netscape 2.0.1 beta but then the same thing(S) happened using AOL's software. Ok I thought maybe my Ram is finaly going and it's screwing up the works but then late one night while "surfing" the net for amusments sake. I was kicked to dos with a typical dos looking message scrolling at high speed down the screen the line said somthing to the effect of; Bad or missing FAT (it might have spelled out File allocation Table but I can't be sure, For unfortunetly I was stoned drunk and didn't write it down x-) after rebooting (power off) the same thing happened again under almost the same situation (surfing)and I was still drunk;) this time instead of Bad or missing FAT it said (without the scrolling) "bad Command.com" (but note it didn't say anything about "missing") I havn't seen the Bad or missing FAT again but the Command.com one has shown up twice since (but I have not seen any of these errors for the last couple of days) I can't attribute the slow down in errors to moving the computer to the new house sence it was screwing up for the first week and a half after the move Is it just ageing hardware ? I've read that Bad command.com is a symptom of a virus... do i have one, and is it now dormant, or has it run its course? (I havn't seemed to have lost any data yet, just these buggy errors) Note this would have been a much bigger worry to me if my working computer was doing the same thing but I don't use it for DL'ing files. And I check every thing that goes into it (the old 486 is mostly my "fun" computer but it still serves me well and Id hate to think it's about to go) Any help _GREATLY_ apreciated, - - Simon Midzilla Music & sound Mailto: sjuncal@erols.com, sjuncal@aol.com web site http://users.aol.com/sjuncal/theax.html ------------------------------ Date: Wed, 19 Jun 1996 10:18:01 +0000 From: Fridrik Skulason Subject: Re: Getting a unique BIOS ID (PC) X-Digest: Volume 9 : Issue 99 In <0032.01I62PHSV7FWWHXNLX@csc.canterbury.ac.nz> sysop@amsoft.com writes: >understand that there may be a way to get a serial no. from the BIOS. Some BIOS manufacturer *might* have a serial# in their BIOS chips, but I have never encountered that - and I know for certain that the BIOSes that I have looked at don't include this - that is, you can easily have two identical BIOSes. There seems to be a possibility to get a software readable unique number from some IDE drives, but that's it - what you are trying to do is basically not possible. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Wed, 19 Jun 1996 12:38:06 -0700 From: Simon Taplin <10896@stalba.pta.school.za> Subject: Re: StealthC and StealthB (PC) X-Digest: Volume 9 : Issue 99 Graham Cluley wrote: > In-Reply-To: <01I5RIPFB7ZKUBAYNP@csc.canterbury.ac.nz> > Sean Heber writes: > > > A while back I got both of these viri, but I was just > > wondering if anyone knows what these viri do. All winter > > this virus was going around between my friends, me, and my > > high school. Almost everyone I knew had it, and now it is > > gone. Is it harmful or is it just a pointless virus? It does not intentionally cause damage or at least Ludwig did not intend the original to cause damage but it will not let you into windows which i suppose is a good thing if you consider that windows is the ultimate virus Cheers Simon Please send all replies, flames, etc to 10896@stalban.pta.school.za ------------------------------ Date: Wed, 19 Jun 1996 13:00:19 -0700 From: Simon Taplin <10896@stalba.pta.school.za> Subject: Re: IVP variant??? (PC) X-Digest: Volume 9 : Issue 99 Paul Montgomery wrote: > F-Prot detected a new or modified variant of IVP. First of all, what > is IVP and how can it affect my system? I went through the list of > viruses in F-prot but couldn't find it. It also seemed to innfect a > strange combination of files. Most of my Norton Utils files were > infected, mscdex.exe and command.com. Does anyone have any information > on this virus, what it does, and why it infected those files. Please > reply via e-mail in addition to posting a response. IVP was a virus generation program made by ADmiral Bailey of YAM. It infectes COMS and EXE,s but is not resident, it should be easy to clean, just send a copy to FRisk and he should have a fix ready for you in no time F-PRot RULES Simon please send all replies, flames to 10896@stalban.pta.school.za ------------------------------ Date: Wed, 19 Jun 1996 05:33:22 -0400 From: Bill lambdin Subject: Generic detection (PC) X-Digest: Volume 9 : Issue 99 Keith Peer Writes >Non-memory resident *generic* antivirus products *CANNOT* prevent a >infection! The user *MUST* first get infected by a virus thus >exposing his data to potential loss. If that same user had a TSR or >VxD installed the antivirus system would have detected the virus I agree. This is why I recommend a three level approach to viruses. a. backup. b. scanners c. generic A-V software. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Wed, 19 Jun 1996 04:54:25 -0700 From: Chia-yin Shih Subject: Help: The bad sectors in my NEC HD are growing! (PC) X-Digest: Volume 9 : Issue 99 I got a new NEC D3717 hard drive (540 MB) from my brother in November 1994 and installed it onto my IBM PS/1 (Expert 2155-S76) as the master drive. The day before yesterday (6/17/1996), I did a ScanDisk because my PC had become unstable for a while. Then I found nine clusters containing bad bytes. The ScanDisk message said that "ScanDisk patched the clusters successfully", but my PC was still unstable. So I did ScanDisk again later, and found SIXTY FOUR more clusters containing bad bytes. I tried ScanDisk four more time, and each time I found more and more clusters containing bad bytes. Even if I do ScanDisk immediately after I just finish one, the number of clusters containing bad bytes will still increase. This abnormal thing does not happen to my other two hard drive (one Maxtor and one Samsung), so I think it should be the NEC drive which has gone wrong. In my NEC drive, there used to be only about 2,000 bytes in bad sectors, but the number has increased to 1,056,768 bytes in bad sectors during only two days. Can this be caused by virus? (But I have checked the NEC drive with F-PROT program several time and found nothing wrong.) Could anyone tell me how to prevent it from getting worse? Please help! Sincerely yours, Chia-yin Shih ------------------------------ Date: Wed, 19 Jun 1996 16:52:41 -0700 From: Simon Taplin <10896@stalban.pta.school.za> Subject: Re: Anyone heard of "VCL_Messiah_ Virus" (PC) X-Digest: Volume 9 : Issue 99 Rich Gonzalez wrote: > Contracted a virus on my machine which McAfee identified as VCL Messiah > Virus. But it also says no remover for this virus. This is an over-writing virus, meaning, your files are screwed, Time to replace the files Cheers Simon Please send replies, flames, etc to 10896@stalban.pta.school.za ------------------------------ Date: Wed, 19 Jun 1996 16:57:31 -0700 From: Simon Taplin <10896@stalban.pta.school.za> Subject: Re: Help disinfecting HLLO.RUW (PC) X-Digest: Volume 9 : Issue 99 Fridrik Skulason wrote: > In <0034.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> "Scott J. Dygert" > writes: > > >After doing a scan, PC-CILLIN detected a virus "HLLO.RUW in my > >C:\PBTOOLS\BACKUP\AUTO-DET.EXE file. > > > >PC-CILLIN gives a message when I attempt to clean it indicating that it > >cannot clean that file. > > This is almost 100% certainly a false alarm. Some anti-virus programs > more likely than other to generate false alarms on HLL viruses. > > Also, an HLLO virus (Higl-level-language-overwriting) has very low chances > of surviving in the wild. You won't be able to restore your files as they are totally screwed for good, hope you got backups Cheers Simon Please send replies, flames to 10896@stalban.pta.school.za ------------------------------ Date: Wed, 19 Jun 1996 16:55:02 -0700 From: Simon Taplin <10896@stalban.pta.school.za> Subject: Re: New virus?? Please help... (PC) X-Digest: Volume 9 : Issue 99 Uvaiz Ahmed wrote: > i have got a virus problem which is v.peculiar. most of the frequently > used data files are getting corrupted with one of the following messages > " cross linked allocation units file truncated or lost allocation unit" > > computer is working fine aftre reformating for few days and base memory > is correct as 655360. the few most used .exe files are displayed as > compressed (lzexe compression of pklite compression method. during > running macafee virus scan none of the other virus scans like dr solomons > toolkit, cpav , f-prot are not detecting the virus. initially we thought > it is a hard disk problem but it is happening on three machines. the boot > area information of the hard disk ( 525MB Quantum hard disk) has been > changed as a 360kb floppy disk!!! you are probebly infected with a stealth virus. Try to boot from a clean write protected disk and then use a new copy of those virus cleaning programs. That should solve your problem Cheers Simon Please post replies, flames, etc to 10896@stalban.pta.school.za ------------------------------ Date: Wed, 19 Jun 1996 23:47:39 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: HELP!? virus found (PC) X-Digest: Volume 9 : Issue 99 Jeff Tollefson writes: >I have an virus that mcafee named OW BY and another named Necro Shadow. I >can't determine wether it's on our server or just the local machine. The >virus seems to load itself when i log the user on to our network. when i >used mcafee's clean utility it found the OW BY in the display.sys file >and tried to clean it; it locked up and switched to a screen full of >ascii garbage. The virus(es) appear to be relocating themselves to >different files each time i attempt to clean, sometimes it loads itself >to active memory and sometimes it's not there. > >Any help would be more than appreciated. I'm hitting a lot of walls as >far as all of the virus utilities i've tried. f-prot doesn't detect, >mcafee does(but can't clean). dr. solomon's does not detect. The closest I can come up with is that it's a scrambled message involving "Shadow byte". But when you say, "mcafee's clean utility," what are you talking about? Hopefully, you're not still using CLEAN, something phased out over 2 years ago... Jimmy cjkuo@mcafee.com ------------------------------ Date: Mon, 17 Jun 1996 20:42:41 -0600 From: Arthur Buslik Subject: Re: Hard disk partition disappeared (PC) X-Digest: Volume 9 : Issue 99 Vincent Tumminello wrote: > Last weeek all of a sudden my computer hung. Had to boot from floppy. > Got in touch with Gateway 2000. Ran fdisk as suggested and there was no > hard disk partition on my c:drive. They said it had to be a virus. Ran > both Mcafee and NAV and no viruses were found. Re formatted my hard disk > and up to the present, all is well. Why didn't Mcafee or Norton find a > virus? Was it because I reformatted my hard disk?? > [Moderator's note: FDISK showing "no partitions", a hardware vendor's > phone diagnosis and I'd only trust my own eyes! In my experience, what > you saw was much more likely not caused by a virus and without further > evidence it was grossly irresponsible of Gateway to suggest it "had to > be". I have seen similar things because part of a WinWord document has > been written over the MBR and beginning of the FAT and no virus in sight. ] A co-worker had his master boot record trashed, and the partition table was zeroed out. I suspect strongly that it was related to our use of NVC.sys, the Norman Data Defense Systems memory resident behavior checker. I was able to recover his machine by using a copy of the master boot record from my machine at work, which I made with Padgett's fixmbr. My coworker and I have similar harddisks (the same as far as the BIOS is concerned). I don't understand how a program like Winword could overwrite the master boot record. It likely uses int 26H for absolute disk writes, and although one can overwrite the boot sector in a logical volume (like drive C:) and the FAT and anything else in the partition, it is just not possible, as far as I know, to write to the master boot record with int 26H. Can someone explain that to me? Arthur Buslik ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 99] *****************************************