VIRUS-L Digest Sunday, 28 Jul 1996 Volume 9 : Issue 126 Today's Topics: Administrivia (ADMIN) Re: Disknet General MAC Question (MAC) Re: New concept virus? (MAC,WIN) Username changed to William Shakespeare--Trojan-horse? (WIN95) Re: Pc-Cillin 95 & Mcafee together?? (WIN95) Re: F-Prot Pro demo mega problem (WIN95) McAfee DREAMS and bumps in the night... (WIN95) Re: Possible Virus -Excel as Victim (WIN) Re: Possible Virus -Excel as Victim (WIN) Re: Possible Virus -Excel as Victim (WIN) Re: Possible Virus - Excel as Victim (WIN) Excel/Laroux virus id for Sophos SWEEP users... (WIN) AVP News: Excel.Laroux Macro Virus! (WIN) Re: Can a virus infect .TTF and .WAV files?? (WIN) TBAV ExcelMacro/Laroux Press Release (WIN) Re: Deleting Bytes Virus (PC) Re: Weird drive mappings--virus?? (PC) Re: Virus that hides in bad sectors? (PC) Re: NYB Virus problems on EISA machine!! (PC) Re: about V.6000 (PC) Definition of Form virus (PC) Re: AntiExe plus MonkeyB (PC) Re: Zvi's tests of Findviru.exe (PC) Re: System date set to 2096 (PC) Virus Standards for a 5 pc network (PC) HELP: I have been attacked by virues's (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sun, 28 Jul 1996 15:11:21 +1200 From: Nick FitzGerald Subject: Administrivia (ADMIN) X-Digest: Volume 9 : Issue 126 First--I'm out of town and most likely out of dial-up reach, probably until Wednesday evening (NZ time) this week. Given this, please consider Email instead of posting followups to the group/list whereever it may be appropriate--thanks. I had an internal debate about whether I should snip the "use debug to crash your machine" trick from Bruce Ediger's sig in his submission posted in Digest V9 #125. It struck me that the comment prefixing this was enough of a give-away that what followed was, in fact, something you should -not- try (at least unless you really did understand what the simple DEBUG command was likely to do!). Readers should take this as a warning--just as the software you see discussed in this forum is not guaranteed to be trustworthy -because it is mentioned here-, do not take any other software posted here (like DEBUG scripts) at face value. The old advice that you shouldn't run software from unknown and/or untrusted sources +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83 ------------------------------ Date: Fri, 26 Jul 1996 16:36:50 +0000 (GMT) From: David Bridson Subject: Re: Disknet X-Digest: Volume 9 : Issue 126 jason@heaven.demon.co.uk wrote: > I have one client who's "company-wide" av policy is implimented via > DISKNET software. His wish was to have enough control to add some > utilities to his machine without having to undergo several thousand > yards of red tape. After fruitless conversations with their IT dept. to > no avial , he asked me (as local "emergency" tech support) to > attempt to circumvent the protection. > > After removing one line in the CONFIG.SYS file, DISKNET was no more! > > The assumption is that the company's IT dept. had no clue as to how to > install the software, as it *must* be more robust than that! > Nevertheless, 100% protection seems wide of the mark. Hmmm... Your "client" is supposed to be using Disknet as part of his company's computer security policy, and you say you assisted him in circumventing that security in direct contravention of instructions from his IT department? Call me old-fashioned, Jason, but isn't this rather an odd way to promote trust in your professional integrity? Yes, users can easily remove Reflex Disknet if - and only if - the security options to prevent them doing so have not been applied. That doesn't necessarily mean the IT department concerned "had no clue as to how to install the software". Disknet is not *that* hard to install. If it were, potential customers would probably balk at the prospect of putting it on thousands of PCs at a time. However, Disknet can be made very, *very* difficult to "uninstall". Unlike any conventional virus scanner that I know of, it provides network administrators with a variety of highly-effective ways to stop users removing its protection. It may just be that the IT department at your client's company had a valid reason not to implement them. As for the "100% protection" claim, I can't find it in any of Reflex's current promotional material. I would guess it came from an old advertisement. Over a year ago, Reflex surveyed its customers, and found that not one of them reported a virus infection after installing Disknet. The company was justifiably proud of this record and may have made the 100% protection claim at that time. However, the relatively recent arrival of Word Macro viruses brought a new type of threat. Subsequently, a number of Reflex's users reported infection from Concept. As a result, the company added 2 Disknet features to counter macro viruses: 1. A module that offers specific protection against *any* type of Macro virus, not just those that are "known". 2. An optional module that enables scanning of all E-Mail and attachments with a choice of methods. Again, this is not necessarily limited to "known" Macro viruses. Of course, Reflex Disknet's diskette authorisation module continues to work in conjunction with popular virus scanning products (ThunderBYTE, DSAVTK, McAfee VirusScan, F-Prot, et al) that offer their own protection against macro viruses too. David Bridson, Reflex Magnetics PR =================================================================== Bridson & Bridson Tel: +44 (0)1869 338832 Centrepoint, Chapel Square Fax: +44 (0)1869 338843 Deddington, Banbury E-mail: bandb@cix.compulink.co.uk Oxon OX15 0SG England =================================================================== ------------------------------ Date: Fri, 26 Jul 1996 18:31:26 -0400 From: AMMalakoff Subject: General MAC Question (MAC) X-Digest: Volume 9 : Issue 126 I am not a real experienced computer but I am trying to learn so I have been reading the postings here (I am also a little paranoid about viruses, disk crashes, etc.) Anyway, on my Mac, I have Datawatch's Virex (revised thru July definitions) and Disinfectant 3.6 (which is an early 1995 version but I think is the latest). I also have the MS Word Scanprot installed in MS Word 6 (although I don't always remember to properly open documents). Without getting into a discussion of whether Datawatch's program is best or not (I already have it, buying it on the recommendation of a friend when I did have a virus), is this protection adequate? Should I put an additional AV program on my machines and would there be any conflicts? I do use the net a lot from home. My work Mac (on which I transfer files to and from) is connected to your typical corporate eMail / printing network. I have picked up Concept from it before. Comments, suggestions? Thanks, Alan ------------------------------ Date: Sat, 27 Jul 1996 01:33:10 +0000 (GMT) From: Shane Coursen Subject: Re: New concept virus? (MAC,WIN) X-Digest: Volume 9 : Issue 126 In article <0010.01I7I6IDJTBMXZNAB2@csc.canterbury.ac.nz>, patrickj@cybercom.net says... >Has anyone had any experience with a word macro virus called concept1? > >We are running NT 3.51 w/ service pack4. Within the last week, there >has been an infection within a group that has been dealing with >outside contractors. Up until this point, we have contained the >concept virus, and pretty much eliminated it. We now have a new macro >virus that is not found by an av software except the free Norton av >with the newest definitions list. The virus is identified, and says >that is has cleaned the macros. This is not the case. The only thing >that we have been able to do is stop the spread. There have been reports of an apparent hack to the original Concept macro virus, but so far I've had no luck getting a good sample. If you are as interested as I am in unraveling this mystery, please send me a suspect sample. For instructions on the safe transfer of a computer virus, please email me direct. - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher - Symantec AntiVirus Research Center (SARC) ------------------------------ Date: Fri, 26 Jul 1996 17:27:52 -0700 From: Erik Hall Subject: Username changed to William Shakespeare--Trojan-horse? (WIN95) X-Digest: Volume 9 : Issue 126 Has anyone heard of the following; I tried to open "connect2internet" (under windows95PC) and read my email. Usually my own name comes up, but the last time I tried Whilliam Shakespeare showed up!!!!???? Thanks in advance, Erik. ------------------------------ Date: Fri, 26 Jul 1996 09:07:00 -0700 From: Don.Edwards@ci.seattle.wa.us Subject: Re: Pc-Cillin 95 & Mcafee together?? (WIN95) X-Digest: Volume 9 : Issue 126 From: Lucio Burroni >Is possible to use Pc-cillin 95 and Mcafee for windows95 on the same >pc. Most likely yes. But. >From experience I can tell you that it is a bad idea to use any virus scanning product -- resident or on-demand -- while an *unrelated* virus protection is resident in memory and active. It does really horrible things to performance. Either Norton or F-Prot can scan every file on my hard drive in less than 5 minutes, but F-Prot takes more than half an hour to do the scan while Norton's VxD is active. F-Prot's resident component and on-request scanner interact to avoid this problem. I would assume that other vendors do likewise. But, they don't coordinate on this -- and I am not complaining (if they ever do start cooperating, it'll be about 5 minutes before a virus comes out that exploits the communication mechanism to protect itself and allow itself to spread even on protected systems). - ----------------------------------------------------------------------- Opinions expressed here do not necessarily represent those of the City of Seattle ------------------------------ Date: Sat, 27 Jul 1996 04:13:05 -0400 From: Gordol Subject: Re: F-Prot Pro demo mega problem (WIN95) X-Digest: Volume 9 : Issue 126 Just before hijacking Babylon 4 into the past, Commander Ivonova and Penn Thomas were heard by Marcus Cole: >First of all, I would suggest that you call Command Systems, or goto >http://www.commandcom.com to get the original win95 AV Kit, second of all I got the program via windows95.com, which links you to the vendor for the actual download. >the program is a 30 day demo, spend the extra money, and buy the real I know I retrieved the demo version. I said that at the start. >thing, it is worth the money, especially, considering the price for I'm a firm believer in the Shareware concept. There are things I will buy retail, but given a choice, I prefer shareware. And before anyone asks, Yes, I do register and pay for stuff. For instance, I paid for McAfee's VirusScan last year. >updates. Thirdly, win95 is not the most stable os, I prefer os/2 and use I've had no problems with Win95. It's certainly more stable than Win3.11 was. >that at home which, does show me its system boot, and scan. unlike, win95 >which I use at work, and is a pain, since I have no idean what is >happening when it boots. And finally, it is not is uncommon for win95 to Get the PowerToys from Microsoft. TweakUI allows you to turn off the boot splash screen, unhiding the boot sequence. >disallow ctrl-alt-del, if you install f-prot pro from the original The only time that has happened to me. I don't use it often, but when I do, I want it. >diskettes, it is most unlikely that your system will crash as it did this >time. Maybe there is something peculiar about my setup? I don't know. But that's what happened to me. It's too much a coincidence to me. - - ttul8r, Jeffrey Kaplan <*> PGP KeyID: 0x70c5a7cd via MIT's keyserver or Email ------------------------------ Date: Sat, 27 Jul 1996 12:56:28 -0400 From: MajorDad22 Subject: McAfee DREAMS and bumps in the night... (WIN95) X-Digest: Volume 9 : Issue 126 My first attempt to install the win '95 version of mcafee found the DREAM virus and halted the install... I booted from a clean floppy and checked it with a DOS version I had received at work... I ran it at least 6 times... nada... so I deleted mcafee (wouldn't let me uninstall as there was no install.log which it seemed to require) and reinstalled. No stopping - installation complete. Never did say it was removed safely. DREAM is not on the mcafee page - anyone know anything about it? It is listed when you run SCAN D:\ /VIRLIST ... aTdHvAaNnKcSe! Kerry =:) P.S. I have noticed some (more ;) quirks on win '95 since I installed mcafee... | Kerry D. Barnsley =:) | Come share a cup o' joe... (_)D | Concord, NH | And teach me what you know. | (Major Dad to two!) | I'll tell you a thing or two... | MajorDad22@aol.com | and together we'll get through. ------------------------------ Date: Fri, 26 Jul 1996 12:13 +0000 From: Graham Cluley Subject: Re: Possible Virus -Excel as Victim (WIN) X-Digest: Volume 9 : Issue 126 In-Reply-To: <01I7I6IDJTBMXZNAB2@csc.canterbury.ac.nz> Daria Thomas writes: > McAfee's anti-virus researchers and software developers plan to work > through the night tonight to develop a Laroux detector for incorporation > into its best-selling VirusScan anti-virus software. Dr Solomon's have produced both on-demand *and* on-access protection against this new virus (we're calling it XM.Laroux). You can read all about it on our website at the following URL: http://www.drsolomon.com/vircen The advantage of on-access protection is that it will stop the virus dead in its tracks. Users will not be able to access, email, share, do *anything* with an infected spreadsheet - thus stopping any outbreak dead in its tracks. We already have on-demand protection available for DOS, Windows 3.x, Windows 95, Windows NT, Novell NetWare, and OS/2 against this virus via our website. We also have on-access protection for Windows 3.x, Windows 95 and Windows NT workstation and servers against this virus. Just to reiterate. At this stage we have no reason to believe this virus is widespread. It's hoped that a panic won't be started by the widespread announcement by another anti-virus company. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 26 Jul 1996 14:28:27 +0300 (EET DST) From: "Mikko H. Hypponen" Subject: Re: Possible Virus -Excel as Victim (WIN) X-Digest: Volume 9 : Issue 126 > McAfee's virus researchers have discovered the first > Macro virus capable of infecting Microsoft Excel spreadsheets. > > [Moderator's note: I posted this despite the advertising hype because it > is, so far, the only submission I've had on the new Excel macro virus. More information on ExcelMacro/Laroux is available at http://www.europe.datafellows.com/macro/ and at Microsoft: http://www.microsoft.com/msexcel/productinfo/vbavirus/emvolc.htm There's no reason to panic: the virus doesn't seem to be common, although it is in the wild - and the virus doesn't contain any activation routines. - - Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com Computer virus information available via web: http://www.DataFellows.com/ Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599 ------------------------------ Date: Fri, 26 Jul 1996 09:40:13 -0700 From: aspaeth@bogle.com Subject: Re: Possible Virus -Excel as Victim (WIN) X-Digest: Volume 9 : Issue 126 >Forwarded message: > >URGENT VIRUS ADVISORY ! > >SANTA CLARA, CALIF. (July 24) BUSINESS WIRE -July 24, 1996 > >McAfee (NASDAQ:MCAF), the world's leading vendor of anti-virus software, >today announced that McAfee's virus researchers have discovered the first >Macro virus capable of infecting Microsoft Excel spreadsheets. The virus, >called ExcelMacro/Laroux, was discovered in the wild at two large >multinational companies, one in Alaska and one in Africa. According to >McAfee virus researchers, the virus can replicate rapidly under normal >spreadsheet use but not does not appear to damage data. Microsoft Excel >is the world's most popular spreadsheet application. [snip] >McAfee Anti-Virus Researchers Work Through the Night to Develop Cure > >McAfee's anti-virus researchers and software developers plan to work >through the night tonight to develop a Laroux detector for incorporation >into its best-selling VirusScan anti-virus software. [snip] As usual, I find press releases like this amusing... As of July 24, McAfee loudly proclaims that they have discovered the ExcelMacro/Laroux virus and that they "plan to work through the night tonight to develop a Laroux detector..." How heroic! Over on the Command Software web site (www.commandcom.com) is a description of the virus by Sarah Gordon, including a signature string for adding to F-Prot Prof., which is listed as having been added to their web site on July 15 ("Discovery Date"). For a little dry humor, from a msg on Dr. Solomon's listserve (with what seems their standard reserve): > Some of you may have heard about a press release put out by another > anti-virus company regarding a working Excel macro virus. This virus > does exist, but it is not believed currently to be widespread. > It is to be hoped that users will not be panicked by the widespread > announcement by the other anti-virus company. On the 25th, the NCSA issued a Commentary which includes the following: > A version of ExcelMacro.Laroux which was intentionally crippled, so as > to not be infectious has been circulated among anti-virus product > developer's and virus writers for the past several weeks. > > It was analyzed by Sarah Gordon of Command Software. It was named by > her, and a full analysis was written by her. A short analysis, which > NCSA believes to be accurate can be found at Command's web site: > (www.commandcom.com). [snip] > Microsoft contacted NCSA to solicit support and to offer assistance in > any actions which might restrain the growth and damage of this virus. > Microsoft claims to have first learned of the existence of this virus > on Wednesday, July 24, and says it has had no customer reports of the > virus to date. Both of these claims appear to be credible to NCSA > analysts. Hmmm.... A version of Laroux has been circulating among AVPD members "for the past several weeks" and McAfee reports they just discovered the virus and started working on detection two days ago, the same day the NCSA says Microsoft first learned of the virus. Either McAfee wasn't very on the ball, or their marketeers need to stop living inside a cheap adventure novel, or ... Alan Spaeth Systems Development Coordinator Bogle & Gates P.L.L.C. (A Professional Limited Liability Company) Portland, Oregon, USA Opinions expressed here are mine and do not necessarily reflect those of Bogle & Gates P.L.L.C. ------------------------------ Date: Sun, 28 Jul 1996 15:11:21 +1200 From: Nick FitzGerald Subject: Re: Possible Virus - Excel as Victim (WIN) X-Digest: Volume 9 : Issue 126 Further to Alan Spaeth's (aspaeth@bogle.com) comments about McAfee's rather sensationalistic press release, I'd like to add the following comments... > URGENT VIRUS ADVISORY ! I guess they all are, but the urgency doesn't fit with later statements made by McAfee itself: > "The Laroux virus does not appear to be widespread at this time, As you can read elsewhere in this Virus-L digest, most major vendors have Laroux detection (and as Alan pointed out, many had it before 24 July--the date on McAfee's press release) and all agree that it is not (currently) a major threat. In fact, generally other vendors are taking a low-key approach, presumably trying to avoid the likely news-media frenzy should it become widely enough known that another commonly deployed application has macro virus vulnerabilities. This is not to say that computer users (particularly those with or considering purchasing Excel) should be denied access to that information, but it is a reasonable precaution given the mass-media's appalling record to date in dealing -realistically- with "the virus threat", both as a general concept and in specific incidents. The general opinion, in both media and antivirus circles, is that the hype surrounding previous "major" virus warnings has largely been driven by a small group of antivirus vendors seeing a good chance to drive up sales of their product(s). This is, of course, too simplistic an analysis. It ignores (for example) the possibility that there were so few Michaelangelo disasters because the huge exposure, and hence unprecedented concern in computer users that they -really should- check their computers for viruses, resulted in thousands upon thousands of potential Micaelangelo disasters being averted. Further, it overlooks the fact that many other viruses, some potentailly worse in their damage, and collectively a much greater threat, were detected and disinfected prior to M-Day. But, therein lies a problem. The news media generally feed off bad news - -they don't spend too much time covering "good news" but lean heavily toward disasters, injury, death. Staying with Michaelangelo as the example, the news media (apparently forgetting they can still be used as a general "information source") were terribly upset that the disaster they had been promising didn't eventuate. The terrible epidemic of data-death they had expected did not arrive on queue, and instead of crowing their success in avoiding the disaster (it would seem it is harder to generate sales opportunities from such evidence...) the marketroids of the big AV companies apparently disappeared and as the media aren't usually interested in good news stories, they simply reported that the Michaelangelo threat flopped. This left a strong sense of "We've been duped" amongst computer users especially, but amongst the general population as well (who may have secretly been willing disaster on the computer-owning elite! 8-) ). By now you are probably wondering what all this has to do with McAfee's Laroux press release. Well, the point is that none of the other major AV vendors seem to be so terribly concerned about Laroux--at least not to the point of releasing a real beat-up of a press release! > McAfee (NASDAQ:MCAF), the world's leading vendor of anti-virus software, > today announced that McAfee's virus researchers have discovered the first > Macro virus capable of infecting Microsoft Excel spreadsheets. The virus, Interesting--other reports suggest that the primacy claim belongs to Sarah Gordon and predates 24 July by a good 9 days, maybe more (see Alan's message for details). Accuracy of reporting would seem to be a victim again (but then maybe McAfee's press releases are not written by reporters...). > ... Microsoft Excel > is the world's most popular spreadsheet application. This not being the forum to discuss "`sales' versus `installed and used'" and "does `popular' mean `liked' or 'preferred'", I won't stray into questioning this claim... > "The Laroux virus does not appear to be widespread at this time, > although additional infection reports are likely as computer users learn > how to detect the virus," said Bill Larson, McAfee's president, chairman, > and CEO. "As with any new virus, computer users should remain vigilant but > not panic. By taking some simple no-cost or low-cost preventative > measures, computer viruses are easily preventable." Commendable! But it doesn't gel with labelling the press release "urgent" or with the later claim: > ... McAfee will also launch a > Laroux-specific support forum on its Web page containing threaded > discussion groups and detailed technical documents about the virus. This suggests that it is a major threat, deserving of special treatment in McAfee's support fora. It also seems likely to -further- encourage the wannabe, copycat virus writers, but deciding where the balance between this concern and the "need to inform" is always a tough call. > How Laroux Works > > Laroux infects versions 5 and 7 of the Microsoft Excel spreadsheet > application. Desktop operating systems affected include Windows 3.x, > Windows 95, and Windows NT. The virus does not appear to infect > Macintoshes. > > The virus consists of two macro files, including "auto--open" and > "check--files, " and one hidden Excel worksheet named "Laroux." Is it just me, or... All the other Laroux descriptions I've seen hence, suggest a single underscore charater rather than a double-hyphen in the macro names and I don't recall any of them mentioning a "hidden worksheet". > Microsoft Excel users can easily determine if they are infected by > choosing the the Tools/Macro option. If the the file names "auto--open" > and "check--files" appear, the computer is infected. Again, I am not an Excel macro expert, but isn't this sugestion more than a little dangerous? Within a short time of Concept becoming all the rage, with many "experts" suggesting to look in the Tools/Macro listing for the "odd" macro names Concept creates, there was a Word macro virus that triggered on the Toos/Macro command. Would it not be more prudent to not suggest using such a similar (and presumably similarly usurpable) feature of what is now a "suspect operating environment"?? > McAfee Anti-Virus Researchers Work Through the Night to Develop Cure > > McAfee's anti-virus researchers and software developers plan to work > through the night tonight to develop a Laroux detector for incorporation > into its best-selling VirusScan anti-virus software. Consistent with the Nothing like putting a heroic spin on the truth that, being at least nine days behind their competitors, they were probably a bit ashamed with their shoddiness?? 8-) Jimmy--what's the chance of reigning in the marketroids a bit?? +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 Virus-L/comp.virus moderator and FAQ maintainer PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83 ------------------------------ Date: Fri, 26 Jul 1996 17:46:23 +0100 From: Paul Ducklin Subject: Excel/Laroux virus id for Sophos SWEEP users... (WIN) X-Digest: Volume 9 : Issue 126 Since the McAfee press release, people are starting to ask me "when is SWEEP going to handle this virus". Answer is: right now, if you wish. Cut out the hexadecimal stuff below (between the "---cut here---" lines), save it into a file called LAROUX.IDE, and place this file in the same directory as the SWEEP program. That will do the trick. (Of course, this assumes you have SWEEP...if you don't, evaluation versions are available for a variety of operating systems: try http://www.sophos.com or ftp://ftp.sophos.com). - --cut here--- 203f b8ee 639a 9c75 d073 dad9 748c 8119 fe31 bb08 03f8 f9f9 ff06 417f 5ad5 6d88 ec 7f - --cut here--- Er, while you're about it: don't worry. Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@sophos.com / / Sophos Plc + 21 The Quadrant + Abingdon OX14 3YS + England \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: Fri, 26 Jul 1996 18:03:52 -0400 From: Keith Peer Subject: AVP News: Excel.Laroux Macro Virus! (WIN) X-Digest: Volume 9 : Issue 126 Macro.Excel.Laroux ================== This virus infects Excel sheets (XLS files). It contains two macros: auto_open and check_files. While loading an infected document Excel executes auto macros auto_open, and the virus receives the control. The virus auto_open macro contains just one command that defines the check_files macro as a handler of OnSheetActivate routine. As a result the virus hooks the sheet activate routine, and while opening a sheet the virus (the check_files macro) receives the control. When the check_files macro receives the control, it searches for the PERSONAL.XLS files in the Excel Startup directory and checks the count of modules in the current Workbook. If the infected macro is an active Workbook, and the PERSONAL.XLS file does not exist in the Excel Startup directory (the virus is executed for the first time), the virus creates that file there and saves its code to that file by using the SaveAs command. When Excel is loading its modules for the next time, it automatically loads all XLS files from the Startup directory. As a result, the infected PERSONAL.XLS is loaded as well as other files, the virus receives the control and hooks the sheet activation routine. If the active macro is not infected (there are no modules in the active Workbook) and the PERSONAL.XLS file exists in the Excel directory, the virus copies its code to the active Workbook. As a result the active Workbook gets infection. To check your system for the virus one should to check PERSONAL.XLS and other XLS files for the string "laroux" that presents in infected sheets. - - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Brunswick, Ohio 44212 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command Phone: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Sat, 27 Jul 1996 13:18:47 +0000 (GMT) From: "Jason S." Subject: Re: Can a virus infect .TTF and .WAV files?? (WIN) X-Digest: Volume 9 : Issue 126 On 21 Jul 1996 04:07:24 -0000, Desert.Storm@bbs.net1fx.com wrote: >I have a few .TTF files in my WINDOWS\SYSTEM directory that have had the >dates changed to the year 2032, there are about 5 of them... Integrity >Master and MSAV picked them up. > >I also have a few .WAV files that have been set to 2092. Integrity >Master picked up those. NO ------------------------------ Date: Sat, 27 Jul 1996 12:18:23 -0400 (EDT) From: "C.J. Mackay" <101444.1435@compuserve.com> Subject: TBAV ExcelMacro/Laroux Press Release (WIN) X-Digest: Volume 9 : Issue 126 Press Release: For immediate publication! First Microsoft Excel virus found "in the Wild"! === ThunderBYTE first to detect 'ExcelMacro/Laroux' Wijchen, July 26th 1996. ESaSS BV, developer of ThunderBYTE anti virus herewith announces that the first "working" Microsoft Excel virus has been reported and found In The Wild. The virus is written in Visual Basic for Applications and is called "ExcelMacro/Laroux". The Laroux Virus infects newly created Excel WorkBooks and infects old WorkBooks when these are used. The virus is functional under all versions of Microsoft Excel, including national versions, from version 5.x under all Windows platforms. (Windows 3.x, Windows 95 and Windows NT). Laroux is not destructive. The only action of Laroux is infecting in order to spread itself. Though there is no direct reason for panic, the Research & Development Team of ThunderBYTE has worked overnight to create a detection possibility of this Excel Virus. Version 7.04 of ThunderBYTE Anti-Virus Utilities contains this detection possibility. This new version will be released very soon! The Excel/Laroux virus is the first working virus reported and found to be in The Wild. After the WordMacro viruses, users are being threatened by Excel Viruses. Time after time, viruswriters rock the world using holes in Microsoft Software to spread their "creative mindsplashes". This time they are Excel Viruses. The effect these viruses will have must not be underestimated. An infected WordDocument can not cause that much damage. But an infected ExcelSheet can result in serious consequences. It is impossible to be sure for the full 100% that the data contained in the spreadsheets are correct. Laroux is relatively innocent as it will only spread. The writer of this virus did not include a Payload. Nevertheless, one should not think to easy about this virus. It is very simple to include a Payload in this virus. History learns that we can expect this in the very near future. It is beyond your imagination what the effect will be when the Payload of an Excel Macro Virus changes data or formulas in the cells. At this moment, the ThunderBYTE Research & Development Team has succeeded as one of the first to create a detection possibility for this virus and has included this solution in ThunderBYTE Anti-Virus Utilities. The Laroux Virus consists of two macros. When an infected spreadsheet is being opened, the virus will check if the file PERSONAL.XLS file exists. This file is the default file for all macros created in Excel. When this file does not exists, it will create an infected version of this file. When the file exists, de virusmacros will be added to this file. The infected file now contains a new section "Laroux". The ThunderBYTE Research & Development Team, as well as Anti-Virus researchers around the world, expect that this virus has opened new ways for virus attacks. New Excel Viruses or variants of Laroux will most likely be very destructive. ESaSS BV-ThunderBYTE Headquarters Saltshof 1018 6604 EA WIJCHEN Tel: +31 (0)24 6422282 The Netherlands Fax:+31 (0)24 6450899 Additional press information: ESaSS BV - ThunderBYTE International Headquarters Caroline Mackay, Public Relations, Compuserve ID: 101444.1435@compuserve.com Commercial information: ESaSS BV - ThunderBYTE International Headquarters Mr. Harald M. Zeeman, International Sales Manager. Compuserve ID: 100140.3046@compuserve.com ------------------------------ Date: Fri, 26 Jul 1996 12:27:36 +0100 From: Dave Subject: Re: Deleting Bytes Virus (PC) X-Digest: Volume 9 : Issue 126 It sounds like the RSEater virus. Look for an AV product which can innoculate it! ------------------------------ Date: Fri, 26 Jul 1996 17:10:09 +0000 (GMT) From: Andrew Wing Subject: Re: Weird drive mappings--virus?? (PC) X-Digest: Volume 9 : Issue 126 Steven Vance (vance@supt.sad1.k12.me.us) wrote: : I have several IBM Valuepoint 425 machines that when leaving windows : switch to drive N:\ ( which is really c:\). Upon any activity, the drive : designation changes to A:\ (although still in c:\). No programs will run. : This can also occur when trying to run DOS programs from within windows : 3.1 : I've run IBM's antivirus, AVSCAN, and F-Prot to no avail. Have you looked at the possible IBM issued patches? Check out ftp.pcco.ibm.com. There are flash ROM updates and several bug fixes. Some may apply to your particular machine. HTH! - - Politics is not the art of persuasion, it's the science of selfishness. Big Brother isn't watching you, you're watching Big Brother,all 181 channels "Speeding down the misinformation superhighway" Andy Wing agwing@astro.ocis.temple.edu awing@thunder.ocis.temple.edu ------------------------------ Date: Fri, 26 Jul 1996 17:59:29 +0000 (GMT) From: Iolo Davidson Subject: Re: Virus that hides in bad sectors? (PC) X-Digest: Volume 9 : Issue 126 In article <0025.01I7JMM1WFCIXZNAB2@csc.canterbury.ac.nz> grasol@earthlink.net "Matthew Hudson" writes: > I want to know if anyone had had an incident with a virus that > cretes a bad sector on your HD then hides there ? This is a common trick on floppies. I don't know offhand of a hard disk virus that does it, but there probably are some. > I was told by a computer guru that thee was no such virus and that a > virus couldn't do that. Thus the post. More discussion and information > thaan anything. There is more than one kind of bad sector. Some bad sectors are simply marked as bad in the file allocation table, and a virus can do that as all it requires is writing data to the disk. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Fri, 26 Jul 1996 19:06:27 +0000 (GMT) From: Iolo Davidson Subject: Re: NYB Virus problems on EISA machine!! (PC) X-Digest: Volume 9 : Issue 126 In article <0026.01I7JMM1WFCIXZNAB2@csc.canterbury.ac.nz> r.gottet.cnet@spectraweb.ch "Roger Gottet" writes: > We tried to remove a NYB Virus with a clean boot-diskette. But after > each scan the virus showed up again in the memory. Probably not really booting clean. This can happen if the option in the CMOS setup is set to always boot from the C: drive, which probably isn't the case if you are using a SCSI drive, or more prosaically, if your boot floppy is itself infected. There is also a reported problem with Win95 boot floppies, which can cause a "ghost positive" with some scanners finding an image of the partition sector left in a disk buffer. You don't say which scanner you are using. You could avoid this by booting with a different DOS floppy (DOS 5 or 6 instead of the Win95 boot disk), or by using a different scanner (try the evaluation version of Dr. Solomon's FindVirus, from www.drsolomon.com). > Within the EISA Config utility it seems not to be possible to remove the > adaptec 2742 EISA SCSI-controller. We believe, that these facts may > cause the problem that the NYB is being transferred from the EISA BIOS > to memory. Not remotely likely. Not even possible unless the BIOS is flash reprogrammable, and NYB doesn't attack flash BIOSes. No virus does so at the moment. Actually infecting a flash BIOS so as to be able to reinfect a disk in the way you are speculating about would be much more difficult, as well as model specific, and it is extremely unlikely that there will ever be any virus that does more than corrupt flash BIOS as a destructive payload. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Fri, 26 Jul 1996 18:12:55 +0000 (GMT) From: Iolo Davidson Subject: Re: about V.6000 (PC) X-Digest: Volume 9 : Issue 126 In article <0029.01I7JMM1WFCIXZNAB2@csc.canterbury.ac.nz> mannig@world-net.sct.fr "Gerard Mannig" writes: > >>> The virus uses the complex algorithm allowing the virus to stay memory > >>> resident after cold reboot and loading from clean DOS floppy disk. > >> > >>No, it can't really do this. It spoofs it. > > Glad to see you mention it yourself : V.6000 indeed spoofs a cold reboot > so when I read people saying ' Place a write-protected DOS floppy disk in > A:, power off the machine and power it on again...' (known song ...), > there are wrong ! It is also wrong to say that the virus can stay memory resident after a clean boot. I know that isn't exactly what you said above, but it is unclear enough that some people will be confused. Fooling people that they have booted clean when they haven't isn't the same thing as defeating the clean boot. You can ALWAYS clean boot, it just requires a check of the CMOS settings to be sure that the computer is really booting from the floppy drive in the first instance. > If you have enough memory, you'll see that my basic posting aimed to point > out to a VIRUS-L reader that an *UNinfected * RAM can't be obtained by the > above that everybody describes over and over again, day after day Essentially you are quibbling about what "clean boot" means. Yes, you do have to ensure that the computer's CMOS is set to boot from a floppy if one is present in the drive. But if you don't do this, and the computer starts to boot from the hard drive, loading the MBR, that does NOT mean that the virus has actually defeated the clean boot, it means that the user has not really booted clean. The clean boot still works, against all viruses, if you make sure that it actually happens. > V.6000 prooves ( and you do it yourself today; Thanks ) for this is NOT > sufficient. That's all I wanted to do. Maybe next time I'll be more smart > (As a side note, my English acknowledge increase ad time goes on ;-) Well, I do think that much of the disagreement has been about confusing ways of saying things rather than the actual facts. > >>Yes, this is what it does. It initially boots from the hard > >>drive. > > Nah, you're a good boy! > > So, what about if one boots with the horribly classical 'clean floppy > disk...' way in such a context ? It isn't a clean boot if it initially boots from the hard drive. You have to ensure that it doesn't do that. This is not just for the two CMOS spoofing viruses we are discussing, but also for the user configurable switch that forces the computer to boot from the hard drive even if a floppy is in the floppy drive. > >>> The virus > >>> installs itself into the memory and then passes the control to floppy disk > >>> loader. As the result the virus stays memory resident after loading from > >>> clean write-protected disk. > >> > >>It hasn't booted clean, it has booted from the infected hard > >>drive in the first instance. Once the virus has control, it > > It getting serious : please, reread the lines above 'As the result the > virus stays memory resident after loading from clean write-protected > disk.' SAYS Eugene KASPERSKY But it has already loaded a virus from the hard disk. That is NOT a clean boot. > Where did you see Eugene KASPERSKY said 'clean booted' ? He didn't. However, what he did say confuses the issue. It seems like he is talking about a clean boot, though technically he is only talking about DOS, not the partition sector code. But since it is a partition sector virus, the partition sector is the important part of the boot process. Booting from an infected partition sector is NOT a clean boot, even if it is followed by a clean copy of DOS. It would be followed by a clean copy of DOS from the hard drive, with most partition sector viruses. I am making this point myself, in addition to Kaspersky's document, because I regard what Kaspersky said as unclear and confusing. > Besides the presence of a a clean floppy disk, the virus becomes active. > Period. I think it is important enough to warn people instead of splitting > hairs about precise meaning of words Lots of people issue the warning that you must make sure that the CMOS is set to boot from A: in order to ensure that you really get a clean boot. Your warning contained the misinformation that V6000 had to be disinfected in memory because it could defeat the clean DOS floppy boot. It CANNOT really defeat the clean boot process if it is done properly, and you do NOT need to disinfect the virus in memory. You just need to make sure that you have REALLY booted clean. Yes, the trick fools people sometimes, but so does the user configuration option to always boot from C: > As a conclusion, I regularely warn people at each time I am given to read > about the 'clean floppy disk... ' failry tale. Sorry (a huge work, though) Fair enough, as long as you don't tell them they need to disinfect in memory or that they can't boot clean. > >>This is not a new trick. Exebug does the same thing, and has > >>been around for years. > > If the user' scanner fails in detecting presence of V.6000 in RAM, at > each time the user _apparently_ cleans boot (see the 'apparently', here?), > he : > > - will be folled into thinking he has an uninfected RAM (while he has > NONE) Like I say, not new. And I am sure that the better AV detect V6000 and Exebug in memory by now. > - will mass infecting any executable > > Besides this, try to issue a > > A: > > command in a V.6000 context and you'll see the difference : any A: access > is successfully done with. Absence of A: drive in CMOS is completely > hidden > > So; what was that you told : 'This is not a new trick' ? Like I say, Exebug also reestablishes the A: drive for normal access, in at least one of the variants I disassembled. There are at least five variants. I am not sure why you are convinced it doesn't. In my article on Exebug in the April 1993 "Virus News International", I reported that it "reinstates drive A: in the CMOS memory and instructs the reboot to continue from the floppy". Exebug is in the wild, and was widespread in South Africa a couple of years back. I haven't heard of any V6000 outbreaks. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Fri, 26 Jul 1996 20:15:50 +0000 (GMT) From: Robert HULL Subject: Definition of Form virus (PC) X-Digest: Volume 9 : Issue 126 Hope you can help, I am a little confused about the characteristics of the Form virus. A colleague was recently told he had passed this virus on a diskette to someone else and asked for information about the thing. I have two main sources of info about viruses - a well-known Icelandic av product, and an equally well-known swiss av encyclopaedia - so I set out to get him the required data. According to Switzerland this Swiss virus is very dangerous, can also corrupt data files and dumps its payload on 16th of the month when it executes a dummy loop to delay key input. However, Iceland declares Form to be an unremarkable virus, makes no mention of data corruption, and says it dumps on the 18th when (if you have not used a keyboard interpreter) it makes a clicking noise each time you press a key. Now my quandary is this - do I tell my colleague that he *has* or *has not* run the risk of corrupting his data files ? And is the virus "unremarkable" or is it "very dangerous" ? - - Robert In the interest of greater transparency, my new sig follows: [Moderator's note: On further checking I found a couple more descriptions supporting the 18th and one saying 24th! These three all agreed however, that Form is relatively benign. If you followup this post, -please- address the disagreement over the date--don't just post your favourite Form description.] ------------------------------ Date: Fri, 26 Jul 1996 20:54:50 +0000 (GMT) From: Bruce Burrell Subject: Re: AntiExe plus MonkeyB (PC) X-Digest: Volume 9 : Issue 126 Bob Babcock (peprbv@cfa0.harvard.edu) wrote: > I tried to disinfect a PC which was infected with both AntiExe and > Stoned.Empire.Monkey.B. All user files were first recovered by zipping to > a network drive and restoring onto another PC, so I was willing to > experiment to see what might work if a similarly infected PC were to show > up. > > The hard disk was not visible from a floppy boot. The A: floppy worked > but B: did not. F-prot detected the multiple infection but seemed unable > to fix it. Eventually I did an fdisk /mbr, deleted the 4 garbage > partitions which this created, recreated the partition table with Norton > disk doctor and sys'ed the hard disk. At first this seemed to have > worked, but most of the disk was scrambled: chkdsk found ~4000 lost > clusters in 2000 chains. What procedure should I have used to disinfect > this PC? You should have gotten a current antivirus program, like F-PROT, DSAV, AVP, or TBAV. There is a list of vendors and URLs in the alt.comp.virus FAQ; download it from ftp://ftp.icnet.uk/icrf-public/acv.FAQ Then create a clean boot disk and use it to start your machine; use the AV software to remove the infection. With Monkey, the hard drive won't be visible, as you mention; no matter, since the software will be able to find the hard drive. F-PROT: F-PROT /HARD /DISINF DSAV: FINDVIRU C: /REPAIR If you use another product, I leave it to you to find the proper syntax in the docs. -BPB ------------------------------ Date: Sat, 27 Jul 1996 04:56:09 -0400 From: Bill lambdin Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 126 George Wenzel writes >But, oddly enough, the comprehensive review done by Paul Williams is not >there. One would think that such a major review would be placed >prominently on the Dr. Solomon's site. It's shown quite well on the >InVircible site. I have read the review by Paul Wiliams. I do not place much credibility on this test. 1. IV is a generic A-V program (detects viruses after replication) I wonder how Mr. Williams was able to replicate those 4000 viruses on one computer. Vienna.Hybryd only replicates if the year is 1992. Icelandic.Saratoga only infects every 10th .EXE file run. Frodo will not replicate from September 22 - December 31st. One A-V developer once quiped that he could write a 41 page paper on what it takes to get the Starship virus to replicate. Other viruses only replicate under DOS 3.3 etc. 2. Mr. Williams test is the only positive InVircible review I have seen posted. However; There have been about 10 negative reviews of InVircible. I do not believe Mr. William's test for two reasons. a. It is the only positive review I have seen for IV. b. I have tested IV myself, and it has failed my test four times in a row! c. I have tested A-V software in the past, and many have seen my list of recommended scanners. and recommended generic A-V software, or have read my test results of the InVircible's failures. It takes a lot of time and effort to clean a computer, `and resture the software to a preinfected status. Even if Mr Williiams could restore the system to uninfected status in 15 minutes. It would take a minimum of 42, 24 hour days without counting the time it takes to run each virus, then run bait files for the viruses to infect, then run InVircible modules to detect the virus. However; the comments above are academic because Mr. Willams obviously never used Tremor, companion infectors, etc because Mr. Williams would have reached the same conclusions reached by Vesselin Bontchev, Dr. Keith Jackson, myself, and many others. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Sat, 27 Jul 1996 04:56:18 -0400 From: Bill lambdin Subject: Re: System date set to 2096 (PC) X-Digest: Volume 9 : Issue 126 Steven C. Zinski" writes> >Thanks for all the suggestions, but I do not think our problem is related >to a virus. I have booted from a known clean diskette and have run several >virus checkers. All came up clean. Just because a scanner doesn't report anything doesn't mean the system is clean. I would recommend for you to follow the following procedures. a. boot from the hard drive of the affected computer. b. format a low density diskette in A: of the computer c. copy some programs to the diskette. d. run all programs from the diskette twice. e. mail this diskette to an A-V developer or A-V researcher for analysis Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Sat, 27 Jul 1996 12:11:22 +0000 (GMT) From: Jim Hughes Subject: Virus Standards for a 5 pc network (PC) X-Digest: Volume 9 : Issue 126 My town is installing a 5 pc(dos/win 3.1 or win 95) network(Novell). They asked me to investigate virus protection policies. I don't deal with virus protection and would like suggestions from those with the experience. Any suggestions and pointers to information would be greatly appreciated. TIA. __________________________________________________________________ Jim Hughes Systems & Communications Sciences Team OS/2 (New Hampshire) OS/2 Certified Engineer jim@fifth-column.mv.com NeoLogic News Reader 2.1B __________________________________________________________________ ------------------------------ Date: Sun, 28 Jul 1996 02:43:58 +0000 (GMT) From: shane lennon Subject: HELP: I have been attacked by virues's (PC) X-Digest: Volume 9 : Issue 126 Please can someone clarify for my a problem I have just had with a virues attack. I run three pentiums with win 95 on a network. One computer is conected to a dedicated modem line. Yesterday I came in and the unit with the modem had over twenty virues on it, it totaly killed my machine and I am going to have to format the had drive again. there are three posibilities that I can think of that allowed the virses to catch me. ONE - some one put them on there. dont think so as Have been no foreign disk for a long time and I always check them for viuses any way (will fix by putting 3.1/2 inch disk locks on just incase I have a sabator) TWO - Norton anti virues went crazy (do not think so system behaved exactly the same as a previous virues attack ((rna virues)) THREE - virues came in over the internet. I have not downloaded unknown EXE files. therefor the only thing I can think of is that I was Hacked and the viruses were put in by someone. What I would like to know is "is it posable for someone to access my machine even though I had no internet type software running??? this is my question) If any one can help I would be very greatfull as I would not like this to happen again. Please help thanking you in advance Shane ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 126] ******************************************