VIRUS-L Digest Wednesday, 24 Jul 1996 Volume 9 : Issue 123 Today's Topics: Extra copies of Digest #106 (ADMIN) Re: PC World review Re: McAfee's support (in support of...) Re: About need of 'clean' booting before scanning process Re: Virus in plain text files (was Re: Scanning incoming mail) How do I scan email for Virus? UNIX virus (sigh...) (UNIX) New MAC virus - hoax or real? (MAC) Re: MDMA virus questions? (MAC,WIN) Re: Any NT Viruses?? (NT) Re: Help recovering NTFS from stoned monkey (NT) Re: Best AV for NT server (NT) Possible Virus - Excel as Victim (WIN) Advertisement... (was: Re: Zvi's tests of Findviru.exe (PC)) About V.6000 (was: :Re: About need of 'clean' booting ../..) (PC) Re: about V.6000 (PC) Re: Zvi's tests of Findviru.exe (PC) Re: How good is McAfee (PC) Cure for Tremor Virus? (PC) Re: Concept virus in our DOS machine? (PC) JJJ Virus (PC) Need Helps from Compaq computer users (PC) Save It--MBR backup/restore + more (PC) Re: Which AV strategy? (PC) Re: Please help--NavScan reports multiple viruses (PC) Re: Hard Drive fixer? (PC) Re: Concept virus in our DOS machine? (PC) Re: Digital Nightmare, virus? (PC) Re: Digital Nightmare, virus? (PC) Re: Concept virus in our DOS machine? (PC) Re: Help: The bad sectors in my NEC HD are growing! (PC) Re: Concept virus in our DOS machine? (PC) Re: Concept virus in our DOS machine? (PC) Dark Avenger: How dangerous can it be (PC) Re: Concept virus in our DOS machine? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sat, 22 Jun 1996 13:20:07 +1200 (NZT) From: Nick FitzGerald Subject: Extra copies of Digest #106 (ADMIN) X-Digest: Volume 9 : Issue 123 I have no idea where yesterday's stray, extra copy of Digest #106 came from. Some lucky (??) folks received two copies whereas some never received it at all when I first posted it out... We now return you to your "normal" viewing! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83 ------------------------------ Date: Tue, 23 Jul 1996 11:25:48 +0000 From: "Denis Parslow (Almo Distributing)" Subject: Re: PC World review X-Digest: Volume 9 : Issue 123 I do no thave the review, since I discarded it immediately after I noticed that it used approx 8-12 viruses to test. It had a macro virus (concept I presume), at least 1 boot sector, at least one poly, and at least one stealth cirus. I do not remember anything else. Denis Parslow Engineering Mgr Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Tue, 23 Jul 1996 11:25:48 +0000 From: "Denis Parslow (Almo Distributing)" Subject: Re: McAfee's support (in support of...) X-Digest: Volume 9 : Issue 123 I have only had one occaision to call on McAfee for support in the last year and a half. This is not a sound statistical sample, I admit. Oh, all of this is via e-mail. The issue? A customer returned a computer for credit. We examined the system (to make sure it was sound) before refurbishing it. In doing so, McAfee found a virus in a file called MBOOT0.DAT. Thinking this odd, we checked with Dr Solomon's, our other av vendor (we actually use three). Findviru reported nothing. S&S support thought it wasn't a virus either. McAfee support thougtht the file was actually a saved boot sector, using something like Norton (which makes sense, but for some reason hadn't occurred to either me or S&S support). I sent had sent a zipped copy to each support team, and when I told S&S what McAfee thought, they realized the error in our thinking and detected the virus. Bottom line was that SCAN tested all files and Findviru didn't have the correct switch in the command line to perform the same level test. All of this took 3 days total, and left me with a clear idea of what must have happened. (by the way, S&S have been quick and helpful any number of times I have leaned on them for support, so I give them high regards for support as well). Denis Parslow Engineering Mgr Almo Distributing, Trademark Computers dgp@world.std.com http://www.almo.com http://world.std.com/~dgp/ ------------------------------ Date: Tue, 23 Jul 1996 19:16:10 +0000 (GMT) From: Iolo Davidson Subject: Re: About need of 'clean' booting before scanning process X-Digest: Volume 9 : Issue 123 In article <0005.01I7F94KYD4GXZN1VS@csc.canterbury.ac.nz> mannig@world-net.sct.fr "Gerard Mannig" writes: > >>> No, you misundertood me. As exposed above, V.6000 virus is *active* after > >>> a clean boot even if you run no executable file from infected HD > >> > >>Not possible if you have *really* booted clean. There are > >>viruses that spoof the floppy boot, though (Exebug for instance), > >>and I expect that is what you are saying about V.6000. > > Yep. But you introduce a contradiction in your own sentance. Reread it I don't see any contradiction. Provide a clue. > >>> Moreover, some viruses (Stoned.Empire.Monkey ) forbid the user to boot > >>> from a floppy as the HD becomes unreachable in those cases. So, dealing > >>> within an infected RAM is sometimes necessary > >> > >>Nope. AV software can deal with Monkey without the disk being > >>visible to DOS. Monkey doesn't "forbid" anything, it just makes > >>the partition table unrecognisable unless the virus is in control > >>of int 13. > > You are playing with words. I understand that there may be a difficulty about second languages here. What I was doing was responding to clearly erroneous statements. Monkey does NOT "forbid the user to boot from a floppy". The user can boot from a floppy just fine. It does NOT make the hard disk "unreachable". It makes the hard disk inaccessible to DOS, but not to the BIOS or Anti-Virus software or other low level access tools. > Of course, AV packages can deal even if HD is unreachable Unreachable is not the right term then. That implies that there is no way to reach it. "Inaccessible to DOS" is more accurate. > and I never said otherwise. Reread my stuff : I said users > can't successfully access to monkey-infected HDs Well they can, using various utilities that access the disk other than through DOS. > and NOT talking about > ability/unability for AV packages to deal with it You also said that "dealing within an infected RAM is sometimes necessary", which is not true. It might be true if your contention that the hard disk was unreachable was really the case, but that contention is not correct. The hard disk can be accessed (but not by DOS) after a clean boot, and the problem can be fixed without "dealing within an infected RAM". The overall meaning was therefore incorrect. Incidentally, I received a copy of your reply by mail, an unnecessary duplication which I intensely dislike. Please don't do it in future. - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Wed, 24 Jul 1996 00:17:00 +0000 (GMT) From: Bob Schultz Subject: Re: Virus in plain text files (was Re: Scanning incoming mail) X-Digest: Volume 9 : Issue 123 Francois Pirsch wrote: [snip] >.ZIP files are not _self_extractible ! Only .EXE are. ZIP2EXE embeds ZIP >files in EXE files and adds an extraction module. Here again we see that >only EXE & COM files can be executed. The Load & Execute function of the >DOS (fonction 4bh. That's for my credibility) knows only COMs and EXEs. >Windows uses the same fonction, and just adds the New-EXEs. Int 21 function 4b does not examine the file extension. As long as the file is in valid com or exe format, it will happily run a file with any name. It's command.com that restricts runnable files to bat, com and exe. ------------------------------ Date: Tue, 23 Jul 1996 04:14:19 +0000 (GMT) From: Dark Forces Subject: How do I scan email for Virus? X-Digest: Volume 9 : Issue 123 How do I scan email for Virus>???????Do you have any program that will do that??? ------------------------------ Date: Tue, 23 Jul 1996 19:16:00 -0500 From: Paul McNabb Subject: UNIX virus (sigh...) (UNIX) X-Digest: Volume 9 : Issue 123 I've been lurking here on the list for many months, and thought I'd put in some info I've picked up doing operating system security design for over eight years. In this lengthy note (sorry!), "DOS" means MSDOS or MSWindows in all its varieties and versions. NT is intentionally not mentioned. In order to protect against viruses, an operating system must do at least the following: 1) The operating system must be running in a protected domain. That is, the code that handles interrupts and services requests for system resources must be inviolate. (Great in UNIX and VMS, stinks in DOS and MAC/OS.) 2) A distinction must be made between system files and non-system files. Programs and data files that are used to run the system and which are relied upon by more than one application or user must be inviolate. (Great in UNIX and VMS, stinks in DOS and MAC/OS.) 3) All accept to "raw" disk devices must be restricted. I.e., there must be no way to gain access to the disk except through the mechanism provided by the OS, which mechanisms enforce #2 above. (Great in UNIX and VMS, stinks in DOS and MAC/OS.) 4) The mechanism to provide administrative programs that bypass the above must by extremely tight and well defined. (Great in VMS, weak in UNIX, meaningless for DOS and MAC/OS.) 5) A user must be able to "lock" a program or file so that the integrity of the file is assured. I.e., there needs to be some type of file mode in between a system file and a public file such that modification can be prevented. (Good in VMS, weak in UNIX, meaningless for DOS and MAC/OS.) UNIX viruses can be characterized by one or more of these statements: a) they take advantage of holes in the massive functionality provided by the system "daemon processes", and use the fact that a process with UID==0 has infinite power; b) they take advantage of holes in "set-uid programs" to get a UID of 0, and thus infinite power; c) they begin life as a trojan horse that an administrator runs when operating with a UID of 0; or d) they tend to be wimpy and do marginal damage to some user files (although if you are the "some user", it can be catastrophic). The boot media problems reported are not operating system bugs, they are operational issues that stem from very poorly designed hardware (from a security point of view). Boot sector bugs hit all OS's equally hard because they are encountered before the OS is running. It's like saying an OS is not secure because it can't protect the disk against a massive pulse of electromagnetic radiation... the issue is simply outside the scope of an OS. However, it *is* a nice integrity feature if the OS can detect potential boot problems from media sitting in a bootable device (UNIX could do this, but doesn't, and this is something that is a real issue in the DOS world and has been handled fairly nicely there). By the way, not all UNIX versions use the concept of "superuser" or "root". I know of at least eight versions that do not have any special privilege associated with any process UID or GID. The versions, although not specifically designed with anti-virus security in mind, do extremely well in protecting themselves. They also run off-the-shelf UNIX applications (is this an oxymoron?). The bottom line is that UNIX has the building blocks and general design to allow for extremely tight security, but very few UNIX versions are that tight. On the other hand, DOS is more like a set of optional, publicly accessible library routines and provides no mechanism at all for security. AV additions can really add a lot to DOS security and they provide some security features not present in standard unix OS releases. paul - ----------------------------------------------------------- Paul McNabb mcnabb@argus.cu-online.com Argus Systems Group, Inc. TEL 217-384-6300 1405A East Florida Avenue FAX 217-384-6404 Urbana, IL 61801 USA - ----------------------------------------------------------- ------------------------------ Date: Tue, 23 Jul 1996 13:15:49 +0000 From: Michael_Hurdle@nt.com Subject: New MAC virus - hoax or real? (MAC) X-Digest: Volume 9 : Issue 123 Our e-mail system is being potentially flooded with the following message regarding a virus - does anyone know anything about it, or could this be an internal hoax? "Just got word of a new virus called "Open Me." It looks to be a Macintosh control panel virus. It hit one of the facilities in Denver in a big way. At this point we don't know where it came from or how it spreads but it will destroy a hard disk. So if you bring up your Mac and see the message Open Me - don't do it. Received from Dave Ferreira our local expert: This is not a hoax. It appears to be a control panel type of virus that can not be detected using SAM or Norton Anti-virus. The virus/control panel wipes out the B-tree or B-catalog or whatever (basically wipes out the location of every file on the hard disk)." ------------------------------ Date: Tue, 23 Jul 1996 06:06:32 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: MDMA virus questions? (MAC,WIN) X-Digest: Volume 9 : Issue 123 Greg Oi writes: >Jimmy, > >I took a look at your website article, but it was unclear if the latest >version of McAfee will detect MDMA. The scan.dat file in the (licensed) >update directory is dat-9606.zip, dated June 17. If the virus was >"discovered" in July, could it be in the data file? Or is it found by >some generic macro detection method? By the time this posting gets through the moderator, DAT9607 would have been released. However, at the time of your question, you would have found DAT9607 in the beta section at ftp.mcafee.com. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 23 Jul 1996 16:26:02 -0600 From: John Millington Subject: Re: Any NT Viruses?? (NT) X-Digest: Volume 9 : Issue 123 nelis w.j.m. (kamenz@nlr.nl) wrote: : There is at this very moment one known 32-bit virus. The so called BOZA : virus. This virus can infect WIN95 and WIN NT computers. Heh heh. Watch the over-generalizations, please. :-) 32-bit viruses have been around at lease since the mid 1980s. All (100%) Mac and Amiga viruses, for example, are 32-bit. Talking about the "bitness" of a virus isn't very helpful; it's probably better to talk about what types of machines/OSes are at risk. For example, is OS/2 Warp vulnerable to BOZA? : There are several sources (Thunderbyte AV,F-prot,etc.) who are confirming : this information. Also there is a lot of rumours going on about the HARE : virus. As of now there are not yet official confirmations of this virus : spreading under 32-bit computers. : : So make regalur back-ups and use your virus checker with the latest : update. Amen. Be vigilant and prepared. :-) Yog-Sothoth Neblod Zin, John Millington ------------------------------ Date: Tue, 23 Jul 1996 20:46:47 +0000 (GMT) From: Steven Whitehurst Subject: Re: Help recovering NTFS from stoned monkey (NT) X-Digest: Volume 9 : Issue 123 On 23 Jul 1996 07:35:32 -0000, Steven Whitehurst wrote: >My NT 3.51 system was infected by a stoned empire monkey virus, and >will not boot. We identified an infected floppy using NAV on a >separate machine (I had recently booted DOS from this floppy). I am >back up and running with a new hard disk, but does anybody know how I >might recover the partition table so I can get my data from the >infected hard disk?? I've since discovered that Norton Antivirus successfully repairs this infection. I never thought to try scanning the infected disk since file manager and disk manager were unable to read the disk, but of course NAV could read and repair the mbr and boot sector even though the operating system had no access to the disk. Steve Whitehurst steve@med.pitt.edu ------------------------------ Date: Tue, 23 Jul 1996 14:26:47 -0700 From: Don Phipps Subject: Re: Best AV for NT server (NT) X-Digest: Volume 9 : Issue 123 MKrebs wrote: > May I hear the group's recommendations for an anti-virus program for a > Windows NT server? > > The server will hold the data files for all our users. I'd like one that > would scan the files on access or at least one we can schedule to scan at > night when the load is very low. I am testing the Dr. Solomon's Winguard and Findvirus for NT, on our NT servers. These tests are "testing compatibility" with out network environment. Results: No virus is able to get to the operating system memory or hard drive with the current configuration. I have tested with nearly all classes of virus, and not been successful in infecting the server (which is as it should be) even with an admin id. The "WinGuard" runs as a service in the NT operating system, minimizing impact on server function. I have been impressed with the results I have seen. I hope this is a little help in your quest. Don Phipps ------------------------------ Date: Tue, 23 Jul 1996 15:50:29 +0200 From: Les Greenwood Subject: Possible Virus - Excel as Victim (WIN) X-Digest: Volume 9 : Issue 123 On machines used by specific clients, Excel 5 & Excel 7 do the following: Opens OK, but hangs if you type any Alpha caracters into a cell. Numerics work just fine. I suspect a virus, as we setup and test OK, until we open the user's files.. Then Blooey !!! I have used Dr. Solomon's but it finds Nada, zip, zero.... I can find nothing related on the July Technet CD, so pleeeeezzzz !!! - - ======================= Les Greenwood Transvaal Sugar Limited Malelane, South Africa lesg@aztec.co.za ------------------------------ Date: Tue, 23 Jul 1996 12:39:32 +0200 From: Gerard Mannig Subject: Advertisement... (was: Re: Zvi's tests of Findviru.exe (PC)) X-Digest: Volume 9 : Issue 123 >>X-Digest: Volume 9 : Issue 122 [../..] >>Of course, we've seen much worse. Like the advertisment series some >>years ags from McAfee marketroids, where some arbitrary VSUM score was >>included as a reference but for some strange reason the two best >>products in the test were left out from the chart... Hmm... You say 'years ago' ? Well, I can't say for sure the following is done worldwide by McAfee but in France, they bitch 'Quand on est le meilleur, on peut se permettre d'etre le moins cher' (US= 'As we are the best, we can decide to be also the cheapest' No comments Regards, - ---------------------------------------------------------------- Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Distributor of AVP & SYSGuard, France and Spanish-speaking countries http://www.avp.ch/E/avp-main.htm Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm ------------------------------ Date: Tue, 23 Jul 1996 12:39:25 +0200 From: Gerard Mannig Subject: About V.6000 (was: :Re: About need of 'clean' booting ../..) (PC) X-Digest: Volume 9 : Issue 123 >>X-Digest: Volume 9 : Issue 122 [../..] >> [In case others aren't aware, V.6000 monkeys with CMOS so that the >>computer will think no floppy is present. Hence a boot will transfer >>control to the hard drive, and hence the virus. ExeBug does this, too.] Thanks for bringing this contribution yourself. This will undoubtedly enlight some people who Emailed me some stuff sugegsting I'm quite fool about my previous statements >>> In short : letting AVP dealing in all contextx is not sure (obviously) >>> and the same goes for booting clean... >> >> Ok. We could amend the instructions to say "... make sure CMOS knows >>you have an A: drive, and that the boot is set to 'A: first'...", but >>usually that's overkill. Remember -- as soon as an AV product knows about >>a particular virus, it can give those instructions to the user when it >>finds memory infected. In fact, I maintain that AV products *should* give >>such instructions when feasible. Agreed >>> No, you misundertood me. As exposed above, V.6000 virus is *active* after >>> a clean boot even if you run no executbale file from infected HD >> >> But fixing CMOS will deal with that. Assuming user is aware of such trick and make sure, previously to each scanning, A: is existant to the CMOS seing ;-) I think AV editing companies should have to include such a feature. AFAIK, F-PROT already does and maybe some others >>> When faced to an *unknown* virus, AVP will track what's going with int >>> like 13h and 21h. If something wrong appears, then user is displayed >>> 'tracing at [segment][offset]' >> >> Good; I bet it looks at other things you aren't mentioning, too >>(with good reason). Hehe..Yes, it does. I was only commenting its behaviour when faec to an unknown TSR virus >>> After this, of course, no scan is to be performed; Running AVPUTIL will >>> allow him to dig deeper, assuming he wants to handle things by himself. >>> Isolating a TSR virus hidding in TOM is done within 1 minute and allow >>> anyone to save a piece of RAM as a binary file >> >> Sounds like an intelligent approach to me. and quite easy to do thru a hot-line 'cause users are generally afraid of such handling ;-) >>> Moreover, some viruses (Stoned.Empire.Monkey ) forbid the user to boot >>> from a floppy as the HD becomes unreachable in those cases. So, dealing >>> within an infected RAM is sometimes necessary >> >> Well, we'll always have special cases, like V.6000, Orsam, etc. And >>dealing with Monkey is just fine after a clean boot, unless your AV soft- >>ware is on the hard drive only. hence the problems many users experienced when running a GUI-only AV package with no DOS-based engine on a separate floppy 8'-( Monkey is quite well dealt, though but some others to-come viruses may annoy a bit 8-/ >>One can *always* boot clean, though doing >>so may be less trivial than just putting a locked clean diskette in A:. >> >> Hence I still maintain that dealing with infected RAM is *never* >>necessary, though it may well be more convenient on occasion. When >>well-implemented, removal while a virus is active in memory is a nice >>feature. Sure, it is never *necessary* and rereading my former posting will never point out the word' necessary'. Topic was that AVP deals with infected RAM when faced to this situation Regards, - ---------------------------------------------------------------- Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Distributor of AVP & SYSGuard, France and Spanish-speaking countries http://www.avp.ch/E/avp-main.htm Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm ------------------------------ Date: Tue, 23 Jul 1996 12:39:14 +0200 From: Gerard Mannig Subject: Re: about V.6000 (PC) X-Digest: Volume 9 : Issue 123 >>X-Digest: Volume 9 : Issue 122 >>)I agree. I simply point out that doing this is no more 'water-proof' since >>)V.6000 came out >> >>Is this a troll/joke on DOS, or are you claiming that there is no >>way to guarantee a boot with no virus installed. I claim that: [../..] This is not a joke. Apart this, you are entitled to claim what you want Eugene KASPERSKY, author of both AVP ( AntiVIRAL toolkit Pro) and AVPVE (Virus Encyclopedia ), as for him, is also entitled to say the following having worked on V.6000 and built a detection/disinfection routine many months ago Next time be wiser before writing <------------------- excerpt of AVP Virus Encyclopedia ------------------> V.6000 It dangerous memory resident polymorphic stealth multipartite virus. On execution of infected file or loading from infected floppy that virus writes itself into MBR of hard drive. The virus stays memory resident on loading from infected MBR only, it hooks INT 8, 13h, 17h, 1Ch, 20h, 21h, 25h, 26h, 27h and writes itself at the end of COM- and EXE-files are accessed or on the program termination. Depending on its internal counter the virus searches for the files and hits them. The virus checks the file names and does not hit the files: COMMAND.COM, GDI.EXE, DOSX.EXE, WIN386.EXE, KRNL286.EXE, KRNL386.EXE, USER.EXE, WSWAP.EXE, CHKDSK.EXE On accessing to floppy disks the virus writes itself into their boot sector. Depending on its internal counters and under debuggers the virus erases CMOS and hard drive sectors. The virus uses the complex algorithm allowing the virus to stay memory resident after cold reboot and loading from clean DOS floppy disk. On installation the virus stores the CMOS memory that keeps the information about floppy drives and sets that info to zero (i.e. the virus emulates situation when no floppy drives are installed). On accessing to disks the virus temporary restores the CMOS and then erases these fields again. On any (cold or warm) reboot the system checks the CMOS, does not detect the floppy disks and passes the control to MBR of hard drive. The virus installs itself into the memory and then passes the control to floppy disk loader. As the result the virus stays memory resident after loading from clean write-protected disk. <------------------------------------------------------------------------> Regards, - ---------------------------------------------------------------- Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Distributor of AVP & SYSGuard, France and Spanish-speaking countries http://www.avp.ch/E/avp-main.htm Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm ------------------------------ Date: Tue, 23 Jul 1996 12:04 +0000 From: Graham Cluley Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 123 In-Reply-To: <01I7F94KYD4GXZN1VS@csc.canterbury.ac.nz> "Mikko H. Hypponen" writes: > Graham Cluley wrote: > > > Which of the reviews at http://www.drsolomon.com/avtk/reviews aren't > > independent then? None of them are by Dr Solomon's. > > Well...the test themselves might be independent, but the presentation is > done by Dr Solomon's, which obviously means that only tests where the > Toolkit has successed well are included. Naturally our marketing department aren't as keen to make available reviews from the likes of PC World et al, where they test against half a dozen viruses, sit down with cocoa and say "Hmm.. so which one's got the prettiest interface?". :-) But we do have reviews up there which Dr Solomon's doesn't win, and indeed I've noticed that sometimes F-Prot has scored better in some of the tests (eg. polymorphic test by Secure Computing, May 96) but we still make them available. > And even then some of your pages seem to include only those parts of the > tests where Toolkit has had a good score, conveniently leaving out other > parts of the same review. I'm not sure what you're referring to here. There has been a problem in the past getting hold of reviews. Some magazines ask for thousands of pounds for reproduction rights. Sometimes we get round this by saying "Well, how about if you let us just print the statistics and we leave out the fluff". So then we can present the raw statistics of which products found how many viruses, at what speed, etc etc without the bumf the reviewer has put round it about how pretty the installer was. I think users are interested in these statistics more, and if it's a choice between statistics and nothing I know which I'd choose. If there are any complaints at all about website and its content I urge users to email our webmaster (webmaster@uk.drsolomon.com) so he can sort them out. > Of course, we've seen much worse. Like the advertisment series some > years ags from McAfee marketroids, where some arbitrary VSUM score was > included as a reference but for some strange reason the two best > products in the test were left out from the chart... I hate to say it but I still see this in the UK. Command Software in the UK give out one page fliers which claim to be reprints of the Secure Computing tests. They say things along the lines of "20 products tested - find out who came out top". And then they print just the reviewer's comments on F-Prot. What they don't say is that it didn't come top!! I guess most of the larger anti-virus companies have done this kind of thing at sometime or another. So I urge anyone to moan to our webmaster if there's something they don't like up there. The most horrendous people can be found in marketing departments of anti-virus companies. I'm always astonished by what they write and try and get "out there". It's a constant battle to keep them under control and remind them that references to "condoms" and "AIDS" are perhaps not in the best taste. I guess we should feel sorry for marketroids - it can't be half as fun as being a techie. Of course there are some techies who are as barmy as marketroids, and they go around making the infamous "past, present, and future" claims. I think most of us know who I'm referring to. :-) Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Tue, 23 Jul 1996 12:04 +0000 From: Graham Cluley Subject: Re: How good is McAfee (PC) X-Digest: Volume 9 : Issue 123 In-Reply-To: <01I7F94KYD4GXZN1VS@csc.canterbury.ac.nz> Mike writes: > I'm sorta interested in Dr Solomon, but none of my local retailers > (US-CA-LA) carry it. Call our USA HQ at 800 701-9648 (voice-mail for call-backs) and they'll tell you where you can get it. In fact we have an office in Mission Viejo, California as well as the one in Boston. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Mon, 22 Jul 1996 23:53:37 -0700 From: Wes Wigginton Subject: Cure for Tremor Virus? (PC) X-Digest: Volume 9 : Issue 123 Norton has detected the "Tremor" virus on a Win3.11 machine. Is there a cure? - - Wes Wigginton Technical Recruiter technicalSCOUTS 512\331-7756 off. 512\335-1899 fax wow@techSCOUTS.COM http://www.stepwise.com/ThirdParty/Services/technicalSCOUTS.htmld ------------------------------ Date: Tue, 23 Jul 1996 08:25:35 -0500 From: Jonathan Williams Subject: Re: Concept virus in our DOS machine? (PC) X-Digest: Volume 9 : Issue 123 Donald Chun Kit Wong wrote: > 1. Are the files named in "smartchk.cps" created by NAV the infected > files? If not, what is the prupose of these files and can I delete them? > These "smartchk.cps" files are in various subdirectories: root, dos, > dosfax, drivers, and users directories. The files indicated have .sys, > .com, .zip, .exe, .pgm extensions, but not .doc. I use Norton, and have not seen these files before. I believe Norton renames files with the extension ".vir". > 2. Can this be an error by Norton anti-virus? Can this program scan the > files compressed inside zipped files? Norton does scan inside compressed files, including .zip files. > 3. I understand the Concept virus is a macro virus that infects Word for > Windows documents. Can it infect .zip, .pgm, .com, .exe, and .sys files? > Can it infect files when you don't have Word for Windows on the system > (Sounds like a stupid question but I just need some confirmation). Not stupid at all. :) Concept only infects Word documents (actually it re-saves them as templates with a .doc extension). If the files whose extensions you listed are not actually Word documents (templates), then Concept cannot infect them, with the exception of documents stored in .zip archives. The virus runs specifically on Word, and as such, cannot be active when Word is not running. Further info can be found at: http://www.datafellows.com (F-Prot Anti-virus) http://www.sands.com (Dr. Solomon's Anti-virus) http://www.symantec.com (Norton Anti-virus) Jonathan jonvwill@iastate.edu ------------------------------ Date: Tue, 23 Jul 1996 12:10:52 +1000 From: Ford_Prefect Subject: JJJ Virus (PC) X-Digest: Volume 9 : Issue 123 Anyone heared of or have the JJJ virus(screen hack) going around australia at the moment?? anyone have any info about it?? - - ------------------------------------------------------------------------------ |FORD_PREFECT | |E-Mail : J6871863@ironbark.bendigo.latrobe.edu.au | |HomePage : http://ironbark.bendigo.latrobe.edu.au/~j6871863/woto.htm | ------------------------------ Date: Tue, 23 Jul 1996 18:17:30 +0000 (GMT) From: Chong Wooi Koay Subject: Need Helps from Compaq computer users (PC) X-Digest: Volume 9 : Issue 123 I've lost all my harddrive partition due to the virus, hare.mp. I need to reconfigure my hard drive partition, but I don't know the settings. If you're using Compaq Presario CDS 982 and upgraded to Windows95 from Windows 3.1, please help me. I need your helps badly. All I need to know is your hard drive partition. Goto DOS prompt, type "fdisk". And then choose the fourth (4th) option to display your partition table. Copy down all your settings and email them to me. My email address is chk580@mail.usask.ca I would greatly appreciate for your kindness and helpfulness. Thanks you very much. Yours sincerely, Chong-Wooi KOAY. ------------------------------ Date: Tue, 23 Jul 1996 14:15:54 -0400 From: Jad Subject: Save It--MBR backup/restore + more (PC) X-Digest: Volume 9 : Issue 123 I (and many others, I'm sure) have noticed that in many virus infections, restoring the exact(uninfected) copy of the boot sector and/or MBR would "disinfect" a computer. Depending on which virus is doing the infecting, of course. My point: (Yes, there is a point to this message. :) ) I have written three programs called: Save The Boot!, Save The Partition!, and Save The FAT! . As their names describe, the first one saves a copy of the boot sector of a selected disk to a file which can then be restored to the boot sector and/or compared with the current boot sector. Save The Partition! does the same job, but saves the MBR and partition tables of a selected hard drive. Save The FAT! saves both copies of the FATs and the root directory entries to a file which can be restored later. There is no compare feature in this program, as the FAT changes too much for a compare feature to be of use. They all are FreeWare, so please download them and use them. They may save you from a lot of trouble(and maybe money). Hence the names. :) I am currently trying to upload these to SimTel and Garbo sites, but havn't had a chance to yet. They are available from my web page: http://www.easynet.on.ca/~johanc/stbfp11.zip (All in the one ZIP with English documentation.) Now, before anyone "informs" me, I'm aware that there are other programs(both commercial and non-commercial) that do what my programs do. But I havn't heard much about any one program that is used by many people. Besides, MY programs are THE BEST. :) They have help screens, documentation, and are CANADIAN! :) Now that I'm done plugging my programs... Just wanted to say the conduct of AV authors has been great. Graham and Jimmy are almost promoting other AV programs, which shows they are confident of their own AV programs. Good work, guys. Regards to all, Jad Saliba ------------------------------ Date: Tue, 23 Jul 1996 19:10:20 +0000 (GMT) From: Bruce Burrell Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 123 Totally Lost (idletime@netcom.com) wrote: [snip] > So ask your system/BIOS vendor when they are going to implement vendor > a public key encryption with certificate options so that *YOU* can > know for sure you are booting a virus free OS image. Lovely solution, but impractical as a solution *today*. How are you planning to make such a system/BIOS available at a low enough cost (free) so that all users will install it on all functioning machines? Since most machines don't have flash BIOS, we're talking real dollars here. Mind you, it would be lovely if computer manufacturers would implement better security that wouldn't compromise functionality, but it is only a very long term solution if it only applies to new machines. As long as there is a single machine that hasn't been upgraded, there will be a need for AV solutions. Remember: there are still IMBPCs and Mac 128s in use out there, so the lifetime of some computeres exceeds 15 years. -BPB ------------------------------ Date: Tue, 23 Jul 1996 20:27:21 +0000 (GMT) From: Shane Coursen Subject: Re: Please help--NavScan reports multiple viruses (PC) X-Digest: Volume 9 : Issue 123 In article <0028.01I7DVDHTRF2XZN17D@csc.canterbury.ac.nz>, sandspm@cix.compulink.co.uk says... >In-Reply-To: <01I7C9H502RYXZM9T6@csc.canterbury.ac.nz> >99th@myna.com writes: >> NAVSCAN [dos] - detected the following viruses [viri???] > >Which version of Norton Anti-Virus is that? [and it is "viruses"] > >> Kazor >> IVP 568 >> Air Raid 1730 >> Neuroq / Nightfall >> Infector 612 >> Phoenix 1226 >> November 17 1007 >> Cascade 1704.A Gen 1 >> >> Now the stupid thing is that the version that I have only scans, it >> doesn't clean. Correct. You are using the trial version of NAV. Detect only, no repair capability. Only the commercial version provides for repair. Sounds like you've updated the trial version of NAV with the latest definition update. Please understand there have been many enhancements made to commercial version of NAV since the release of the NAV trial version. The latest definition sets simply will not work with the trial version of NAV. As a remedy, I will see what I can do about removing the trial version from the Symantec website. Apologies for the confusion. - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher Symantec AntiVirus Research Center ------------------------------ Date: Tue, 23 Jul 1996 16:00:48 -0400 From: Bill lambdin Subject: Re: Hard Drive fixer? (PC) X-Digest: Volume 9 : Issue 123 Iolo Davidson writes. >No, not really damaged. However, there are viruses that mark >sectors as bad in order to reserve them for their own use >(usually on floppies). These markers are just written to the >disk as data, and do not constitute damage. One of the viruses that marks the sectors it uses as bad is the old pakistani brain. If I remember correctly; it marks 3K of sectors bad on a 360K diskette. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 23 Jul 1996 14:55:43 -0700 From: Don Phipps Subject: Re: Concept virus in our DOS machine? (PC) X-Digest: Volume 9 : Issue 123 Donald Chun Kit Wong wrote: > We may have a virus / viruses in our lab computer and would appreciate > some help untangling some findings. We have a 286 running DOS 4 and MS > Word for DOS ver.5 in the lab. One of the grad students in the lab brought > a disk home with her word file from here. The disk was supposedly new. I > don't know if she has used it with one of the public computers in the > office. She opened her document at home on Word for Win95. She said that > when she opend the file, a window popped up that said "F1" with a "ok" and > a "cancel" button. Her S.O. pressed okay and everything proceeded > uneventfully. She did her work and saved her file. He rebooted and > checked with Norton anti-virus and found the Concept virus in that > document. We have not encountered any unusual activity in the lab > computer. She's sure that she did not get it from home because she said > she has never brought the disk home before. They came back to the lab with > Norton anti-virus and scanned the hard disk here. He found 18 or more > infected files. He cleaned it. The Norton anti-virus seemed to have left > some files called "smartchk.cps" lying around in several directories. They > contain some unreadable code plus some file names. I have the following > questions that I wonder if anyone can answer. I'm also trying to contact > her S.O. with these questions but has not been able to reach him. > > 1. Are the files named in "smartchk.cps" created by NAV the infected > files? If not, what is the prupose of these files and can I delete them? > These "smartchk.cps" files are in various subdirectories: root, dos, > dosfax, drivers, and users directories. The files indicated have .sys, > .com, .zip, .exe, .pgm extensions, but not .doc. the smartchk.cps files are checksum files created by NAV for the purpose of faster scanning, and assuring that your files do not change. It keeps relative track of the sizes of your executable types of files. > 2. Can this be an error by Norton anti-virus? Can this program scan the > files compressed inside zipped files? NAV can scan inside compressed files if it is configured to do so. The creation of these files is not an error, they are "encrypted" in a format that the NAV scanner engine understands. > 3. I understand the Concept virus is a macro virus that infects Word for > Windows documents. Can it infect .zip, .pgm, .com, .exe, and .sys files? > Can it infect files when you don't have Word for Windows on the system > (Sounds like a stupid question but I just need some confirmation). The Concept virus is a macro virus. It only infects macros in Microsoft word or Winword 6.x and newer documents (*.doc or *.dot). If you have a compressed file such as a ZIP or ARC file which contains a document infected by the macro virus, then you might say that the compressed file was infected indirectly. Typical viruses are Operating System dependent - - they require a specific operating system to be their "host". The Winword macro viruses no longer are dependent on the operating system, they are dependent on the application to be their host. Therefore, they can infect files in any operating system that can run the more recent Microsoft Word or WinWord applications. I hope that this information is helpful. Good Luck! Don Phipps, Sr Systems Analyst Clorox Services Company > Donald Wong, Ph.D. > Pathology, Univ. of B.C. > Vancouver, Canada ------------------------------ Date: Tue, 23 Jul 1996 15:04:47 -0700 From: Don Phipps Subject: Re: Digital Nightmare, virus? (PC) X-Digest: Volume 9 : Issue 123 Suzanne Kathleen Ackerson wrote: > Please don't flame me, but I'm not sure what to think. I was > downloading a bunch of files from some places that I assume are > reliable and while unziping them, and afterwards while one of them was > unzipping I saw on the screen something that looked like the creature > from the Alien movies, and later, after that I was running some files, > looking for something and I found one called DIGI.COM. I ran it and I > started to hear some MIDI music and saw on the screen some lifesavers > floating around with "DIGITAL NIGHTMARE" in the background. I hit > escape and the brang my system to DOS. Right before I went to DOS I > heard this screeching sound coming from my speakers. Scared, I booted > it back up and heard the sound again until eventually turned off my > computer. I turned it back on and the sound wasn't there. Is this a > virus or am I just paranoid? If it isn't a virus, then what is it? I cannot say if it is or is not a virus. It is possible that it is a virus. Your best direction from here would be to procure a good anti-virus and a clean write-protected boot disk of the same version operating system you have on your system. Cold boot your system using the write-protected floppy, and then run an anti-virus scanner to detect and clean your hard drive. If the virus is a new virus, it may not be detected (not a high probability). Additionally, you should establish a careful procedure in your computing habits to download only to diskette if possible, and then scan the download for viruses before opening the file or executing it. You may even want to have an anti-virus application running "real-time" mode all the time, which would intercept any "virus" files and prevent you from downloading them. DR. Solomon's Winguard is very effective for this purpose. There are others as well, but this is one that I have tried and found extremely helpful. Don Phipps ------------------------------ Date: Tue, 23 Jul 1996 19:40:30 +0000 (GMT) From: Iolo Davidson Subject: Re: Digital Nightmare, virus? (PC) X-Digest: Volume 9 : Issue 123 In article <0026.01I7F94KYD4GXZN1VS@csc.canterbury.ac.nz> spacecat@ix.netcom.com "Suzanne Kathleen Ackerson" writes: > Is this a > virus or am I just paranoid? If it isn't a virus, then what is it? Get some anti-virus software, run it, and see what it says. Trying to guess whether you have a virus from a description of what you think might be symptoms is a waste of time, yours and ours. - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Tue, 23 Jul 1996 22:28:44 +0000 (GMT) From: John Gog Subject: Re: Concept virus in our DOS machine? (PC) X-Digest: Volume 9 : Issue 123 In article <0023.01I7F94KYD4GXZN1VS@csc.canterbury.ac.nz>, Donald Chun Kit Wong wrote: >1. Are the files named in "smartchk.cps" created by NAV the infected >files? If not, what is the prupose of these files and can I delete them? >These "smartchk.cps" files are in various subdirectories: root, dos, >dosfax, drivers, and users directories. The files indicated have .sys, >..com, .zip, .exe, .pgm extensions, but not .doc. I'm not real familiar with Norton's current flavor, but the insertion of CPS files is common among virus scanners. They are checksum type files that can be used for comparison by the AV program later. >2. Can this be an error by Norton anti-virus? Can this program scan the >files compressed inside zipped files? The behavior you described is typical of Concept. So the reading was correct. The fact that 18 files were infected (I'm assuming all by Concept) indicates that the virus was already on the system before the user was infect. Please note that if she copied the file back to her floppy before the cleaning, it is now infected, and she'll be infecting any other PC she opens the document on. To my knowledge, Norton doesn't scan inside zipped files per se; it does scan zipped files to see if they are actually virii or trojans. >3. I understand the Concept virus is a macro virus that infects Word for >Windows documents. Can it infect .zip, .pgm, .com, .exe, and .sys files? >Can it infect files when you don't have Word for Windows on the system >(Sounds like a stupid question but I just need some confirmation). Concept only infects MS Word documents, from where it plants itself in the global template. By doing this, it is passed on to every document edited or created subsequently. Regards, John Gog RAM ------------------------------ Date: Tue, 23 Jul 1996 22:29:53 +0000 (GMT) From: Robert HULL Subject: Re: Help: The bad sectors in my NEC HD are growing! (PC) X-Digest: Volume 9 : Issue 123 In article <0017.01I6P0A73T6KWHZC3A@csc.canterbury.ac.nz> cjkuo@alumnae.caltech.edu "Chengi J. Kuo" writes: > eike writes: > >Chia-yin Shih (chiayin@u.washington.edu) wrote: > >: Even if I do ScanDisk immediately after I just finish one, the number of > >: clusters containing bad bytes will still increase. This abnormal thing > >: does not happen to my other two hard drive (one Maxtor and one > >: Samsung), so I think it should be the NEC drive which has gone wrong. > >: > >: In my NEC drive, there used to be only about 2,000 bytes in bad > >: sectors, but the number has increased to 1,056,768 bytes in bad > >: sectors during only two days. > >: > >: Can this be caused by virus? (But I have checked the NEC drive with > >: F-PROT program several time and found nothing wrong.) > >: Could anyone tell me how to prevent it from getting worse? > > > >I strongly recommend a full backup of your data, because i think, that the > >possibility of a head crash within the next days is 99%. I have seen > >problems like this several times on different machines, mostly UNIX boxes, > >and each time, the disk was dieing! > > This is a good assessment. Generally, if the head is terribly misaligned > or failing (almost scratching the disk), any new place it writes to is a > new bad sector. > > So, as soon as you can, use it only to read whatever data you have and > back it up. No-one seems to have thought that this *could* just be down to a dodgy drive cable. If that should prove to be the case, it would be quite easy to cure - that was certainly my experience just recently. Note, I'm not saying that the other explanations *cannot* be valid ;-) - - Robert In the interest of greater transparency, my new sig follows: ------------------------------ Date: Tue, 23 Jul 1996 19:08:29 +0000 (GMT) From: Shane Coursen Subject: Re: Concept virus in our DOS machine? (PC) X-Digest: Volume 9 : Issue 123 In article <0023.01I7F94KYD4GXZN1VS@csc.canterbury.ac.nz>, dcwong@unixg.ubc.ca says... >We may have a virus / viruses in our lab computer and would appreciate >some help untangling some findings. We have a 286 running DOS 4 and MS >Word for DOS ver.5 in the lab. One of the grad students in the lab brought >a disk home with her word file from here. The disk was supposedly new. I >don't know if she has used it with one of the public computers in the >office. She opened her document at home on Word for Win95. She said that >when she opend the file, a window popped up that said "F1" with a "ok" and >a "cancel" button. Her S.O. pressed okay and everything proceeded >uneventfully. She did her work and saved her file. He rebooted and >checked with Norton anti-virus and found the Concept virus in that >document. You saw a "1" or an "F1" >We have not encountered any unusual activity in the lab computer. Not too surprising. The original strain of Concept is pretty benign. The dialog box you saw -- 1 or F1 -- is all that is displayed. >She's sure that she did not get it from home because she said >she has never brought the disk home before. As in most cases, it's very difficult to say for sure where the infection came from. My guess (from reading your full message) is that it came from the workplace. >They came back to the lab with Norton anti-virus and scanned the hard >disk here. He found 18 or more infected files. He cleaned it. The >Norton anti-virus seemed to have left some files called "smartchk.cps" Actually, the SMARTCHK.CPS files came from another AV package - CPAV. >lying around in several directories. They contain some unreadable code >plus some file names. Correct. One per directory. These files contain CPAV's inoculation information. >1. Are the files named in "smartchk.cps" created by NAV the infected >files? If not, what is the prupose of these files and can I delete them? Answered above. >These "smartchk.cps" files are in various subdirectories: root, dos, >dosfax, drivers, and users directories. The files indicated have .sys, >.com, .zip, .exe, .pgm extensions, but not .doc. If you no longer are using >2. Can this be an error by Norton anti-virus? Pshaw... >Can this program scan the files compressed inside zipped files? NAV can scan within .ZIP files -- so long as they are not "scrambled" with a password. >3. I understand the Concept virus is a macro virus that infects Word for >Windows documents. Can it infect .zip, .pgm, .com, .exe, and .sys files? Concept does not infect .PGM, .COM, .EXE or .SYS files. Concept will not infect .ZIP files either, but beware...infected Word files can exist within. If you question the integrity of any Word document or template, I would advise scanning it. Macro viruses (especially Concept) seem to be the most common type of virus we see these days. >Can it infect files when you don't have Word for Windows on the system >(Sounds like a stupid question but I just need some confirmation). Concept (and most other macro viruses) absolutely require Word. NOTE: Just having Word on the computer isn't enough for a macro virus to infect. You need to run Word, and then open an infected document or template. Hope this helps. - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Vius Researcher Symantec AntiVirus Research Center ------------------------------ Date: Wed, 24 Jul 1996 01:02:02 +0000 (GMT) From: Donald Chun Kit Wong Subject: Re: Concept virus in our DOS machine? (PC) X-Digest: Volume 9 : Issue 123 I've gotten several email replies. they confirm, as expected, that the Concept virus cannot infect documents without WordWin being ran. So, I wonder how this virus got into our 286 system that don't have Word for Windows or Windows. It cannot work in Word for DOS I presume. I guess she may have used her disk on another computer with WordWin. Another stange thing is that she said her S.O. used Norton anti-virus on our computer, but the "smartchk.cps" files left behind are apparently generated by Central Point anti-virus. I'm just glad that I can probably assume our 286 is not the source of her Concept virus. Donald Wong, Ph.D. Pathology, Univ. of B.C. Vancouver, Canada ------------------------------ Date: Wed, 24 Jul 1996 02:01:57 +0000 (GMT) From: Mehmet Gokmen Orun Subject: Dark Avenger: How dangerous can it be (PC) X-Digest: Volume 9 : Issue 123 I have talked to a couple of people recently who have gotten the dark avenger virus on their machine, and they were also stating that they were having a difficult time cleaning their hard disk even with a clean boot disk. Although I have not verified this on their machine personally I was wondering what some of the side effects of Dark Avenger may be. My knowledge on this virus is limited to the info provided by f-prot and an curious about how the virus spreads to other files which reads it. Thanks for your help M.Orun ------------------------------ Date: Wed, 24 Jul 1996 02:06:33 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Concept virus in our DOS machine? (PC) X-Digest: Volume 9 : Issue 123 Donald Chun Kit Wong writes: >when she opend the file, a window popped up that said "F1" with a "ok" and Can you send me a copy of one of these files? Either it said "F1" and it's a variant, or it said "1" and you transcribed it wrong. >1. Are the files named in "smartchk.cps" created by NAV the infected >files? If not, what is the prupose of these files and can I delete them? No. NAV did not create them. I'm guessing CPAV (Central Point) did. Probably for integrity checking. (Hey, Symantec guys, can he delete them?) (Probably.) >2. Can this be an error by Norton anti-virus? Can this program scan the >files compressed inside zipped files? Normally, yes. I'll let a NAV specialist tell you if it detects DOC viruses inside ZIP files. I believe yes. >3. I understand the Concept virus is a macro virus that infects Word for >Windows documents. Can it infect .zip, .pgm, .com, .exe, and .sys files? >Can it infect files when you don't have Word for Windows on the system >(Sounds like a stupid question but I just need some confirmation). No. (Though it's easy enough to ZIP up a document after it's been infected by a virus.) Jimmy cjkuo@mcafee.com ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 123] ******************************************