VIRUS-L Digest Saturday, 6 Jul 1996 Volume 9 : Issue 108 Today's Topics: Re: Scanning incoming mail Re: Mysterious Fireworks on screen? -- Solved Missing Files (MAC) Norton antivirus update buggy? (WIN95) Re: Sudden loss of RAM memory in windows (WIN) Re: LASTRUN, without screen messages? (PC) Re: System date set to 2096 (PC) Re: Untouchable (PC) Re: File corruption (PC) Re: Weird drive mappings--virus? (PC) Re: What Virus do I Have? (PC) Dangerous virus scanner (PC) Re: WP 6.1 intall (PC) Re: LASTRUN, without screen messages? (PC) HELP!!...I'm being FORM-ed to death! (PC) Anti-CMOS leaves floppy drive write-protected? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Fri, 05 Jul 1996 06:05:00 -0400 From: Bill lambdin Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 108 gwenzel@gpu.srv.ualberta.ca> writes >BAH! I don't think so. You claim that "suspect" files are not false >alarms. How exactly is the user supposed to tell if a "suspect" file is >infected or not? They certainly can't do it with your product, especially >in the case of macro viruses. I couldn't agree more. I also know for a fact that InVircible reports a false negative from time to time especialy if Tremor is on the loose. False negatives cause me more concern than false alarms. You also hit on one of my nitpicks. Zvi keeps saying that users can boot from the rescue diskette, and detect Tremor infected files. a. If Tremor is active at the time when IV is installed, COMMAND.COM on the rescue diskette will be infected with Tremor, and Tremor will be able to fake out IV from the rescue diskette. b. InVircible modules keep reporting there is *NO* virus. How are users supposed to realize there is a problem, and know to boot clean? >Generics have the same problem, Zvi, even though you don't admit it. >There are AV products that won't trip up in the scenario that you present. >Dr. Solomon's FindVirus is one - it checksums code from the virus before >it ID's a virus. If it says "you are infected with xyz virus", you can be >sure that you have xyz virus. There is a HUGE difference between quality generic A-V software like F-Prot Professional, Integrity Master, Untouchable, etc, and inferrior generic A-V software like Invircible and others. >No, it makes perfect sense. If you have an on-access scanner running on >>every workstation, and scan all incoming software on a sheep-dip machine, you're pretty much guaranteed to stop almost every virus out there from >infecting your corporation. This will detect the "Known" viruses. I also recommend a seperate computer. I call it a goat computer. It is easier to clean one computer than to clean an entire network. I would also recommend using generic A-V software like an integrity checker on the goat computer as well. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 05 Jul 1996 20:04:37 +0000 (GMT) From: Pete Crayne Subject: Re: Mysterious Fireworks on screen? -- Solved X-Digest: Volume 9 : Issue 108 Mystery solved. It was one of our programmers' idea of a joke. Pete Crayne wrote: ------------------------------ Date: Fri, 05 Jul 1996 15:02:20 +0000 (GMT) From: ehamm@cctr.umkc.edu Subject: Missing Files (MAC) X-Digest: Volume 9 : Issue 108 I have picked up a virus on my Power Macintosh (Performa 6200CD)... I believe its source to be an Info-Mac mirror site (can't remember which site I got the file from). Details follow... I downloaded a BBedit HQX from one of the info-mac mirror sites using Anarchie. Stuffit Expander automatically kicked off trying to expand the file (normal action). I stopped the expansion to continue with other downloads. After downloading 2 other files (names escape me, but they're not important) I moved the bbedit HQX and other hqx files out of the Anarchie Download folder and threw the rest of the stuff in the trash. I then dragged (drug???) the bbedit HQX to the Stuffit Expander icon on my launcher. At this point ALL HELL BROKE LOOSE... The expander did not start. Then when I returned to the folder that bbedit was stored in, it was empty. I then went to 2 other new folders that i had moved the hqx's to -- again EMPTY. I started moving into other folders and again almost everything I opened up was empty. I went to Best Buy and bought McAfee Anti-Virus, it turned up nothing... I tried booting from my Performa CD, but it appears to be damaged. I have ordered a new CD from Apple and hopefully it will arrive today. When I get it I intend to initialize my hard drive and reload everything... Fortunately for me, I don't have anything very important on my machine. My point in all this... Awareness for other people.. (this is my first trauma with a virus) See if anyone else has experienced the same thing.. I welcome ANY responses at ehamm@cctr.umkc.edu or (of course) this newsgroup... Thanks [Moderator's note: Thanks for your concern. Can anyone actually confirm that the archive referred to contains a virus? Unfortunately ehamm's report does not show any evidence of a virus at all. Strange system and file corruptions happen all the time and are heavily disproportionately -NOT- casued by viruses.] ------------------------------ Date: Fri, 05 Jul 1996 22:44:49 +0000 (GMT) From: Robert de Ridder Subject: Norton antivirus update buggy? (WIN95) X-Digest: Volume 9 : Issue 108 Im using the dutch version of Norton Antivirus for Windows 95. I downloaded and installed the virus updates for july, and the program went crazy. About 1200 files of my files were supposedly corrupted, but the descriptions did not make sense. E.g. the IO.SYS file was to be infected with the horror virus, but this virus only attaches to .com and .exe files and wasnt found in memory either. I got similar messages about .jpg files infected by kak, which attaches to .exe only. I downloaded and ran the free findvirus evaluation program for Dr. Solomon, and this doesnt find any viruses at all. With the June descriptions for NAV, I used before, I didnt find any viruses either. Has anyone got this bug to, or know what could be wrong? Greetinx, Robert ------------------------------ Date: Fri, 05 Jul 1996 13:50:21 +0000 (GMT) From: Andrew Wing Subject: Re: Sudden loss of RAM memory in windows (WIN) X-Digest: Volume 9 : Issue 108 Desmond Huang (bnhuang@netspace.net.au) wrote: : > Another solution: : > a) free about 30 Mbyte on your HD : > a) edit \windows\system.ini : > b) go [386Enh] line : > c) search the line "MinPagingFileSize=xx", replace xx with 20000 : > (if you don't have this line insert it AFTER [386Enh]) : : Could you please kindly explain what's the line "MinPagingFileSize" for? I looked in my Windows Resource Guide and could not find it. What I *did* find is MaxPagingFileSize which sets an upper limit on a temporary swap file. There is also PermSwapSizeK that sets the size of the *permanent* swap file. - - Andy Wing agwing@astro.ocis.temple.edu awing@thunder.ocis.temple.edu ------------------------------ Date: Fri, 05 Jul 1996 10:33 +0000 From: Graham Cluley Subject: Re: LASTRUN, without screen messages? (PC) X-Digest: Volume 9 : Issue 108 In-Reply-To: <01I6Q7SFSZTKWHZC3A@csc.canterbury.ac.nz> Richard Evans writes: > We are using Dr. Solomons Toolkit and I have written a batch file > to scan user hard drives every couple of weeks. For this I am > using the TKUTIL LASTRUN command. > > The problem is that it seems to insist on sending a message to > the screen saying X number of days since last lastrun. > Is their any way to use LASTRUN without it sending its output to > the screen. There's already a switch, /SILENT. So it's TKUTIL LASTRUN /SILENT Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 05 Jul 1996 06:05:08 -0400 From: Bill lambdin Subject: Re: System date set to 2096 (PC) X-Digest: Volume 9 : Issue 108 Woody@diversicomm.com> writes >"Steven C. Zinski" wrote: > >>Here at the University of Richmond, we are experiencing a problem where >>the date is being bumped ahead 100 years (i.e., 2096) on some of our PC >>compatible systems. > >Very common in several viruses. True. Frodo, and Tremor are two viruses that mark infected files by seting the date stamp of the infected files ahead by 100 years. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 05 Jul 1996 07:01:04 -0400 From: Bill lambdin Subject: Re: Untouchable (PC) X-Digest: Volume 9 : Issue 108 Francois Pirsch writes >I think most users would appreciate such a comparison, though. It would be if InVircible and Untouchable were of similar quality. >Does it also check the integrity of GIF or WAV files ? Fine. If you instruct Untouchable to check all files, Untouchable will check all files including .GIFs, .WAVs, .TXT files, etc. >Untouchable 1, InVircible 0. Untouchable works as advertized. InVircible doesn't. >hmmm. InVircible lets you do it manually, and I'm not sure which is the >best method. When you create a bootable diskette with SYS A:, your >DriveSpace or Stacker drivers are automatically added. True enough those drivers will be transferred to the disk. but what about drivers like Disk Manager (to access large hard drives), Diskreet (Norton's driver to access encrypted partitions, etc? >And how many cavity viruses did you find ? I mean viruses which don't >modify the entry point. Such viruses would not spread too quickly, I >guess. Unless you found a way to execute a non-executable part of a file? What about viruses like Omud, Commander Bomber, Leapfrog, etc? These viruses write themself into a buffer area inside files, then places a JMP instruction that points to the virus where the original address the first JMP instruction pointed to, or after n calls to INT 21h, etc. The virus would run, then return control to the infected file. The infected files would not increase in size. A-V software like Untouchable and other that check the entire file with a CRC would detect the change. InVircible performs a spot integrity check (file areas likely to be modified by a virus) would not. >This is not integrity checking. Any InVircible owner can use F-PROT's >VIRSTOP or any other free TSR scanner. Yes. anyone could add a resident scanner as another layer. But Zvi made the comparison. amd I demonstrated the difference. >The real loopholes of InVircible are due to its nature, therefore any >integrity checker has the same. They include slow infectors, modification >of the integrity database, and the fact that they can only detect changes >AFTER the actual infection, etc... Absolutely not! The integrity checkers I recommend use a CRC to check the entire file not just file areas likely to be modified by a virus. Many of the integrity checkers I recommend allow the user several options. Intehrity Master for one. a. use the default name for integrity data files. b. use randomized file names for the integrity data files. c. store all integrity data offline on a secure diskette. You are correct that integrity checking detects viruses by detecting the change they make (after infection). However. my point of the message was that quality integrity checkers like Integrity Master, Tbcheck, Untouchable, etc will detect these changes, and InVircible will not. You should read the test results from my fourth test of InVircible (IV-4-WHL.TXT) available on the Metaverse BBS, several sites on the WEM, and was supposed to be published in Virus-L last month. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 05 Jul 1996 07:01:15 -0400 From: Bill lambdin Subject: Re: File corruption (PC) X-Digest: Volume 9 : Issue 108 Mike Brodbelt writes >True, but a lot is done by operating system bugs too.... I never said all file corruption was done by viruses, However; when a virus infects a file this is file corruption. >And by what magical means is it possible, having found a corrupted >file to determine what caused the corruption. A corrupted file is just >that - corrupt, unless there's still an active virus on the system, >you can't possibly tell what caused it after the event, the best that >can be done is to make an educated guess. Haven't you ever heard of a corrupt infection? The virus infects the file, but the infected file no longer runs. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 05 Jul 1996 16:19:22 +0200 From: support.vse@westend.com Subject: Re: Weird drive mappings--virus? (PC) X-Digest: Volume 9 : Issue 108 On Wed, 03 Jul 1996 16:35:42 +0000 (UNDEFINED) Steven Vance wrote: >I have several IBM Valuepoint 425 machines that when leaving windows >switch to drive N:\ ( which is really c:\). Upon any activity, the drive >designation changes to A:\ (although still in c:\). No programs will run. Are these machines in a network? Or were they once? Which version of MS-Dos do they use? > No programs will run. What error message? What you are seeing is most likely some heavy (mis)usage of MS "subst" and/or Novell "map" commands and not a virus. Ciao, Guido - voerste edv beratung, Theaterstr.22, 52062 Aachen, Germany fon (++49) (0)241 404 888 | fax (++49) (0)241 404 876 ------------------------------ Date: Fri, 05 Jul 1996 16:19:25 +0200 From: support.vse@westend.com Subject: Re: What Virus do I Have? (PC) X-Digest: Volume 9 : Issue 108 On Thu, 04 Jul 1996 01:35:49 +0000 (GMT) Steve Bouton wrote: >Our PC is acting strangely. For example, we can't boot from any DOS >6.x floppy but we can from a Windows95 floppy; we can't zip files, This is sounds like a disfunctional 2nd level cache to me. Try to disable it in setup and try again. >We discovered our conventional memory to be at 635K. You don4t use any speacial software to access a larger then 525 MB drive on an older machine, do you? >We've tried McAfee and PCCillin, but no virus' are found. We swapped in >another hard drive that should be clean and still have the same problems. I'm >thinking it's affect the BIOS in some way. VERY unlikely. Your boot diskettes are clean, you have triple-checked them? Summing up: most likely a hardware problem. Since you already have removed the harddisk, why not try it in another machine to see whether it is functional? Ciao, Guido - voerste edv beratung, Theaterstr.22, 52062 Aachen, Germany fon (++49) (0)241 404 888 | fax (++49) (0)241 404 876 ------------------------------ Date: Fri, 05 Jul 1996 17:34:54 +0300 From: Zvi Netiv Subject: Dangerous virus scanner (PC) X-Digest: Volume 9 : Issue 108 I have been experimenting recently with Dr. Solomon's Antivirus Toolkit and stumbled on something that I think AV users should know. The S&S scanner needs a lot of memory to run. The largest portion is needed for the database driver - FINDVIRU.DRV, of about 628 kbytes in the latest 7.61 version. MESSAGE.DRV requires about 91 kbytes and the DOS engine (FV86.EXE) occupies about 40 K of conventional memory. Altogether FindViru requires about 760 kbytes memory for running. This is no problem when booted from the hard drive and extended memory is available. FindVirus then loads the database in extended memory. The problem is when you need the antivirus most, when the hard drive is infected by a virus. In such event, the product documentation suggests that you boot clean of a floppy and run the antivirus of a floppy. When doing so, FindVirus will first attempt to load the drivers in XMS, then, if extended memory isn't available, the hard drive will be used as virtual memory. FindVirus issues the message "Using drive C to store driver temporarily" and writes its swap files to the hard drive (on my ruined drive I could find findviru.$$$ and messages.$$$, occupying about 750 kbytes). At first, I didn't pay much attention to that fact, but I soon realized that Dr. Solomon's ruined 1.2 gig of data. Here is what happened. Writing to the hard drive without checking first and asking the user's permission is very sloppy, especially when the program is supposed to RECOVER your data, not to RUIN it. In virus infection scenarios, the hard drive's file system could be corrupted and the LAST THING to do is to write even a single byte to the hard drive. Users having file corruption problems are usually advised to run an antivirus of floppy, after booting clean. In such cases, running Dr. Solomon's FINDVIRU will ruin their chances to recover, which could be quite easy to do if they didn't touch FINDVIRU at all. FV's swap files will worsen file corruption, which is bad enough without the contribution of Dr. Sol's scanner swap files. In one particular case, the FindViru swap files overwrote the header of a DriveSpace compressed volume file, carelessly ruining 1.2 gigabytes of precious data that could be easily recovered, if not for the incomprehensible sloppiness in the design of FindVirus. The closest analogy that comes to my mind is a patient with cardiac deficiency brought to hospital, and forced to climb on his own feet to the sixth floor, to the operating theater. I suppose that Dr. Solomon's FINDVIRU easily qualifies as a Trojan. A Trojan is a program that pretends doing one thing while it deliberately does something else. As shown above, FV pretends fixing your hard drive and disinfecting from viruses while it overwrites critical data with its swap files, without even asking the user's permission. Writing the swap files to the hard drive is a deliberate procedure, thus fully qualifying as a Trojan. A Trojan needn't necessarily to be harmful or destructive, yet FINDVIRU qualifies here too. It is recommended that users think twice before running Dr. Solomon's scanner of a floppy on their hard drive. In case of doubt, better use quality antivirus software. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Fri, 05 Jul 1996 18:28 +0000 From: Graham Cluley Subject: Re: WP 6.1 intall (PC) X-Digest: Volume 9 : Issue 108 In-Reply-To: <01I6P0A73T6KWHZC3A@csc.canterbury.ac.nz> Howard Wood writes: > This past week I encountered a situation with WP 6.1 for Windows that > I need to pass along.Apparently Novell had put some extra coding into > the disks after disk 2 which will cause certain AV programs to hit n > them. Novell has varified that there is NO Boot Sector virus. The > programs and their reports are as follows (according to COREL techs) [snip!] I passed this by the chaps in our technical support department and one of them said it sounded familiar. It turns out that we first saw this problem about a year ago. From what they recall, Novell's original WordPerfect master disk was infected with AntiCmos. The virus was cleaned up but, unfortunately, the scanner they used to clean it didn't do a very good job as it left fragments of virus code behind. Instead of building a new disk, they used the cleaned one to duplicate copies of WordPerfect. Subsequently, when the disk was scanned, a virus was reported by some anti-virus products. > Novell has varified that there is no Boot Sector virus. That's right. The disk is clean. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 05 Jul 1996 17:45:48 +0000 (GMT) From: Iolo Davidson Subject: Re: LASTRUN, without screen messages? (PC) X-Digest: Volume 9 : Issue 108 In article <0006.01I6Q7SFSZTKWHZC3A@csc.canterbury.ac.nz> evansr@europa.lif.icnet.uk "Richard Evans" writes: > We are using Dr. Solomons Toolkit and I have written a batch file > to scan user hard drives every couple of weeks. For this I am > using the TKUTIL LASTRUN command. > > The problem is that it seems to insist on sending a message to > the screen saying X number of days since last lastrun. Many of Dr. Solomon's Toolkit programs respond to the /SILENT command line switch. - - IT SPREADS SO SMOOTH LIKE VELVET IT SHAVES SO SLICK AND IT'S QUICK IT FEELS Burma-Shave ------------------------------ Date: Fri, 05 Jul 1996 15:44 +0000 (WET) From: gstats@pixi.com Subject: HELP!!...I'm being FORM-ed to death! (PC) X-Digest: Volume 9 : Issue 108 I just brought back the FORM virus from a class on campus. I accidentally left the disk in the drive when I booted up my system. I used the Anti virus program already installed in my computer, but when it got to a specific point, the system froze. The computer had shown the following phrase before it halted: MEMORY WAS INFECTED BY THE FORM VIRUS. THE VIRUS WAS EXTRACTED AND DESTROYED. Now if this is true, then why does the computer find a virus everytime I run the Anti-virus program.......and why does it cause my system to freeze??? I have a Packard Bell Force 845CD Multimedia computer running Windows 95. The Anti-Virus software was already installed, and I can't find any book/manual about the software or this virus. Any help would be appreciated!! Glen ------------------------------ Date: Sat, 06 Jul 1996 00:12:25 -0700 From: Bill Crocker Subject: Anti-CMOS leaves floppy drive write-protected? (PC) X-Digest: Volume 9 : Issue 108 I have a DEC PC at work that had the Anti-CMOS virus on a floppy disk, which Macafee detected, but claimed it could NOT remove. I destroyed the floppy disk. Macafee does not detect the virus on the hard drive, so the system appears to be clean. Now the floppy disk drive appears to be write protected! Is this possible? If the virus did cause this hardware problem, how can it be corrected? Thanks, Bill Crocker p.s. I even replaced the floppy disk drive with a new one...same symptoms! [Moderator's note: Most recent DEC desktop PCs have a "security" option in their BIOSes that allows you to completely disable the floppy drives, make them "read-only" or make them "normal". The default is "normal", but maybe someone twiddled your BIOS settings roughly coincidentally with this incident, leaving your floppy set to read-only?] ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 108] ******************************************