VIRUS-L Digest Wednesday, 31 Jul 1996 Volume 9 : Issue 128 Today's Topics: The Scanner - July 96 issue Re: Disknet Re: About need of 'clean' booting before scanning process Re: Disknet Re: "puppet" virus ????? Russian antiviruses!!! How to handle viruses in a Dorm-net? Re: UNIX virus (sigh...) (UNIX) Re: General MAC Question (MAC) NAV scanning a drive at shutdown (WIN95) Re: Pc-Cillin 95 & Mcafee together?? (WIN95) RE: Possible Win95 Font Virus...Is it? (WIN95) Re: TBAV ExcelMacro/Laroux Press Release (WIN) Mcafee Webscan (WIN) Re: Possible Virus - Excel as Victim (WIN) Excel Laroux FREEWARE detection! (WIN) Webscan (WIN) Re: Possible Virus - Excel as Victim (WIN) Re: Possible Virus - Excel as Victim (WIN) Recovering FAT info (PC) Re: HELP: I have been attacked by virues's (PC) Re: Definition of Form virus (PC) Re: F-Prot comments (PC) Re: Zvi's tests of Findviru.exe (PC) Re: Help: The bad sectors in my NEC HD are growing! (PC) Re: McAfee (PC) Immune II - Someone who knows? (PC) Re: Virus that hides in bad sectors? (PC) Re: Boot Virus on DDO drive (PC) Re: Virus Standards for a 5 pc network (PC) Re: NYB Virus problems on EISA machine!! (PC) Re: Boot Virus on DDO drive (PC) Re: Boot Virus on DDO drive (PC) Re: Newbie's computer infected!!--Matura?? (PC) Re: AntiExe plus MonkeyB (PC) Re: AntiExe plus MonkeyB (PC) Virus from China, help (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 29 Jul 1996 13:43:33 +0000 (GMT) From: Howard Wood Subject: The Scanner - July 96 issue X-Digest: Volume 9 : Issue 128 The 'come back' issue of The Scanner is now out. I am trying to get it uploaded to SimTel but it is on The Scanner Homepage. I also have someone that will help me out with a mailer so Folks can subscribe to The Scanner if they wish. I will pass the info along as things are confirmed and tested. Http://diversicomm.com/scanner Any suggestions or 'constructive' comments are appreciated. Woody ======================================================= Howard Wood - Gulf Coast Anti Virus, Biloxi, Ms. ------------------------------ Date: Mon, 29 Jul 1996 18:10:21 +0000 (GMT) From: Iolo Davidson Subject: Re: Disknet X-Digest: Volume 9 : Issue 128 In article <0002.01I7M4A14ICKXZNAB2@csc.canterbury.ac.nz> bandb@cix.compulink.co.uk "David Bridson" writes: > Unlike any conventional virus scanner that I know of, it provides network > administrators with a variety of highly-effective ways to stop users > removing its protection. Haven't looked far, then. Dr. Solomon's Anti-Virus Toolkit provides network administrators with highly effective ways to prevent users removing its protection. > Of course, Reflex Disknet's diskette authorisation module continues to > work in conjunction with popular virus scanning products (ThunderBYTE, > DSAVTK, McAfee VirusScan, F-Prot, et al) that offer their own protection > against macro viruses too. Hmm... You refer to Dr. Solomon's above. How come you don't know about the enforcement options available in the Netware Toolkit? - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Tue, 30 Jul 1996 02:29:34 +0200 From: Gerard Mannig Subject: Re: About need of 'clean' booting before scanning process X-Digest: Volume 9 : Issue 128 >>X-Digest: Volume 9 : Issue 127 >> Fridrik Skulason said : >>Indeed. What you are talking about is not a clean boot, but a "dirty" >>boot that the user thinks is a clean boot....an entirely different thing. Yep. But a so-called 'clean boot' is defined this way in VIRUS-L by tens of people so, as you said yourself, this is a "dirty" boot that the user thinks is a clean boot...and got infected by some viruses like ExeBug and/or V.6000 I tried to smoothly explain this to Iolo Davidson in private to avoid heavy discussions in this area but he very kindly put me in kill file. So, he will never learn what I told in there ... Vesselin Bontchev, OTOH, had a chat with me and we discussed friendly about this. Same goes for the need to clean boot before scanning ( main purpose of the basic posting ) : sometimes, it is useful NOT to do it Besides this, I had to confess I have been somewhat misleading in my statements and that's why I tried to exchange private Emails with Iolo Davidson, my main contradictor. It appears that war between France and Great Britain restarts I don't think closing a discussion this way with help... Regards, - ---------------------------------------------------------------- Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Distributor of AVP & SYSGuard, France and Spanish-speaking countries http://www.avp.ch/E/avp-main.htm Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm ------------------------------ Date: Mon, 29 Jul 1996 09:08:36 +0000 (GMT) From: Jan Hruska Subject: Re: Disknet X-Digest: Volume 9 : Issue 128 David Bridson, Reflex Magnetics PR wrote: >As for the "100% protection" claim, I can't find it in any of Reflex's >current promotional material. I would guess it came from an old >advertisement. Over a year ago, Reflex surveyed its customers, and found Your clients were displaying it in very large letters at the Networks show four weeks ago in Birmingham. Is that not 'current'? >1. A module that offers specific protection against *any* type > of Macro virus, not just those that are "known". Is this the same module which was beaten by the Winword/Reflex (aka Red Dwarf, Challenge) virus for which Reflex allegedly gave a Jereboam of champagne to the virus writer at the Infosec show in April 96 in London? ------------------------------ Date: Tue, 30 Jul 1996 02:10:01 -0400 From: pansovic Subject: Re: "puppet" virus ????? X-Digest: Volume 9 : Issue 128 Sean wrote: > Can anybody tell me anything about this virus. My friend recently found > it on his computer. Maybe the following text can give you some answers. It's coming from Data Fellows Ltd's Virus Information Pages and that's the only place were you can find virus under that name (Puppet Virus). Dr. Solomon's Anti-Virus Encyclopedie doesn't have anything about it (at least, I didn't found!) and McAfee Virus Info Library has it registered under the following names: Major, Major.1644 and MajorBBS. > NAME: Major > ALIAS: Puppet, BBS-1643, MajorBBS > SIZE: 1644 > TYPE: Resident EXE -files > >This virus got widespread in April 1996, because it was available in an >infected file called CANCER01.ZIP in ftp site wuarchive.wustl.edu. >In addition to the infected files inside CANCER01.ZIP, Major virus has been >spread in files called TAP.EXE and FLASH.EXE (PKLited dropper). >Major tries to interact with the Major BBS system. Without further information >on this BBS system, it is impossible to tell what the virus actually tries to do. >In any case it tries to access files \BBSV6\BBSAUDIT.DAT and \BBSV6\BBSUSR.DAT. > >Major contains these encrypted texts: >The Major BBS Virus created by Major tomwn to DOS Puppet Image Gnat Minion Cindy F'nor > >As many other memory-resident viruses, Major will conflict with some memory managers. >Major virus has been confirmed to be in the wild in several countries. In Lak'ech, Gordana Yellow Rhythmic Human ------------------------------ Date: Tue, 30 Jul 1996 14:28:29 +0800 From: Vladimir Fedotkin Subject: Russian antiviruses!!! X-Digest: Volume 9 : Issue 128 Do you need some real protection? Well, search the web for ADINF, AIDSTEST, KASPERSKY Cool antiviruses for people still having problems with viruses!!! ENJOY! ------------------------------ Date: Tue, 30 Jul 1996 22:02:25 +0000 (GMT) From: Mark Raciborski Subject: How to handle viruses in a Dorm-net? X-Digest: Volume 9 : Issue 128 We are planning to have our dorms wired for network use fall semester. Each student will be able to connect their own PC to our Dorm-Net using TCP/IP. Our Telecommunication Director has sent out an urgent requirement that the school will need to supply the student with "virus" software before we connect their machines into the network, that there is some risk of infection. Is anyone running a Dorm-Net? What kind of risk from viruses should we be having anxiety over? please reply to operator@hedgehog.cc.wm.edu ------------------------------ Date: Mon, 29 Jul 1996 13:45:22 -0600 From: John Millington Subject: Re: UNIX virus (sigh...) (UNIX) X-Digest: Volume 9 : Issue 128 Kenneth Albanowski (kjahds@kjahds.com) wrote: : To add to this, it's like arguing that FooBarOS's security is lax because : you can read or modify the data on the disks if you hook then up to a PC : and read the partitions directly. All storage used by programs in : "stored-program architecture" computers must be assumed inviolate simply : because the OS has no control over it whatsoever. FWIW, disk encryption can help protect against this sort of thing. For example, Patrick Ohly's program "DiskProtection" (although it's not a Unix program, something _like_ it could be done for just about any OS) encrypts entire disk partitions. Take that disk and plug it into a PC, and you can't read anything on it, nor can you install a virus on it (since the virus will become scrambled when it get "unencrypted"). Of course, there's always a point of weakness, and you can't currently boot off an encrypted partition. And even if some future version of DiskProtection allows you to, there will always have to be _something_ that is left out where it's vulnerable. (e.g. you could still install a virus on the boot block.) Anyway, my point is that you _can_ have additional _degrees_ of security, even if the host OS _isn't_ running. It's just not widely used, that's all. Yog-Sothoth Neblod Zin, John Millington ------------------------------ Date: Mon, 29 Jul 1996 18:32:51 -0600 From: Stu Derby Subject: Re: General MAC Question (MAC) X-Digest: Volume 9 : Issue 128 In article <0003.01I7M4A14ICKXZNAB2@csc.canterbury.ac.nz>, AMMalakoff wrote: :I am not a real experienced computer but I am trying to learn so I have :been reading the postings here (I am also a little paranoid about viruses, :disk crashes, etc.) : :Anyway, on my Mac, I have Datawatch's Virex (revised thru July :definitions) and Disinfectant 3.6 (which is an early 1995 version but I :think is the latest). I also have the MS Word Scanprot installed in MS :Word 6 (although I don't always remember to properly open documents). : :Without getting into a discussion of whether Datawatch's program is best :or not (I already have it, buying it on the recommendation of a friend :when I did have a virus), is this protection adequate? Should I put an :additional AV program on my machines and would there be any conflicts? In general, you should only have 1 AV program "installed", i.e. active in system with a component in the Extensions folder. AV programs work by patching the operating system (placing modifications into memory) and since they tend to patch the same areas for the same purposes, conflicts are not unexpected. You can uninstall Disinfectant by dragging the Disinfectant Init from the extensions folder to the trash and throwing away. There's no problem leaving the Disinfectant application on your drive, and you can even use it manually to scan for viruses (or reinstall the protection init if you drop Word 6 and Virex). That said, I wouldn't be too suprised if in fact there weren't any conflicts between the Virex and Disinfectant, both are quality programs and Disinfectant takes a minimalist approach to virus protection, though it's more than adequate for system viruses. In fact, disinfectant ONLY protects against system viruses, while Virex and others also try to protect against the various application file viruses. If you don't use Word 6, Excel 5, or Hypercard, then Disinfectant is all you need. (Disinfectant 3.6 is also the latest version, there hasn't been a new Macintosh system virus since Spring 1995, the Force be praised.) Word 6 has been a god-send to the Macintosh anti-virus industry (though many of the tech people there would probably glady forego that joy.) - - Stu Derby |"When in trouble, when in doubt, stu@miave.bcm.tmc.edu | run in circles, scream and shout." ------------------------------ Date: Mon, 29 Jul 1996 13:20:49 +0000 (GMT) From: zen Subject: NAV scanning a drive at shutdown (WIN95) X-Digest: Volume 9 : Issue 128 I recently installed norton anti-virus for win95.I note that every time I shut down the computer,the anti-virus program scans the a drive,making an audible noise in the drive at the time. 1-is the program supposed to do this at each shutdown ?? 2-is there any potential for damage to the a(floppy) drive from this. i have visited the symantec site and i don't see this addressed there. there is a patch for the program there but no explanation as to what the patch does and what it is supposed to fix. thanks ------------------------------ Date: Mon, 29 Jul 1996 18:23:09 +0000 (GMT) From: Iolo Davidson Subject: Re: Pc-Cillin 95 & Mcafee together?? (WIN95) X-Digest: Volume 9 : Issue 128 In article <0006.01I7M4A14ICKXZNAB2@csc.canterbury.ac.nz> Don.Edwards@ci.seattle.wa.us writes: > F-Prot's resident component and on-request scanner interact to avoid this > problem. I would assume that other vendors do likewise. But, they don't > coordinate on this -- and I am not complaining (if they ever do start > cooperating, it'll be about 5 minutes before a virus comes out that > exploits the communication mechanism to protect itself and allow itself to > spread even on protected systems). Actually, this wouldn't work. Yes, if the communication method became known, someone could write a virus that used it to put a resident scanner to sleep, but how is that virus going to issue the message? First the virus has to load and run. If the resident scanner is present, it will stop viruses that it recognises being loaded and run. "Ah, but," you say, "this is a new virus and the scanner doesn't recognise it yet." Well, it doesn't matter if the virus can turn off the scanner, then. The scanner wouldn't catch it anyway. When the resident scanner is updated to detect the latest batch of new viruses, it will stop the virus being run, and the trick won't work because the virus won't get far enough to use it. So, in practice the trick doesn't work. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Tue, 30 Jul 96 13:12:58 From: richardb@intecolor.com Subject: RE: Possible Win95 Font Virus...Is it? (WIN95) X-Digest: Volume 9 : Issue 128 On Thu, 18 Jul 1996, David Hays was heard to announce: >I have an interesting (and so far, no remedy) for an aberation in font >display on a Win95 workstation. I have used the latest updates from >Symantec but no ID of an infection is reported. > >In system and application dispays (i.e, MS Access and Win95 Explorer >and others) certain fonts will suddenly start showing as unreadable >distortions of specific characters. The distortions are repeatable >for each specific character. Note that this may or may not be >apparent at boot up. Today, the characters effected are k, u, Q and >d. The characters will change sometime within the next few hours ot >days. In fact, within the last few minutes, the above characters are >OK and the newly effected character is "T". > >Sometimes, putting focus on the object (in this case a file name in >Explorer) will sometimes make the character readable. > >So, maybe I simply have a messed-up system. Maybe not. What do you >think. > >[Moderator's note: This sounds like a video card/driver problem to me. >I'd suggest reducing the level of graphics acceleration used and if this >doesn't fix the problem install "generic" (MS-supplied) graphics drivers >SVGA) instead of "fancy" vendor-supplied ones (S3 "WinFast" drivers are >notoriously bad).] Good advice. Another (undocumented) way of trying to resolve odd "font" problems is something left in from our Beta program. In WIN.INI in the [windows] section, enter the line safemode = 1 as the first line in that section. If you don't know what I am talking about then DO NOT DO THIS, but if you can edit this text file, then try it. Depending on the vintage of your video card, you may need this set. BTW, the valid values are 0, 1, or 2 where 0 is no safety and 2 is the greatest safety. This overrides the Graphics performance setting. The glitch is that if you later make a driver change (or ever have to reinstall win95) then you will have to remember to put this in your win.ini. I have one machine in our facility that requires the safemode=2 and his display is noticeably slower because of it. However, without this setting his fonts are too far to the left of the font cell and a bit is dropped making h,k,m, etc. impossible to read. The problem changes with the font (which characters, relative window pos., etc.) No need to go into details, but try it out. Standard disclaimer - the opinions expressed above are not necessarily those shared by my employer, community, or self. ------------------------------ Date: Mon, 29 Jul 1996 10:50:34 +0000 (GMT) From: Bruce Burrell Subject: Re: TBAV ExcelMacro/Laroux Press Release (WIN) X-Digest: Volume 9 : Issue 128 C.J. Mackay (101444.1435@compuserve.com) wrote: > Press Release: For immediate publication! > > First Microsoft Excel virus found "in the Wild"! === ThunderBYTE first to > detect 'ExcelMacro/Laroux' [snip] Will all the other companies who were first to detect this virus please say so now, or forever hold their peace? -BPB ------------------------------ Date: Mon, 29 Jul 1996 16:17:52 +0000 (GMT) From: Christopher Cheung Subject: Mcafee Webscan (WIN) X-Digest: Volume 9 : Issue 128 I have downloaded Mcafee Webscan and tried to install in a PC under Win95 or Win3.11 platform but failed in both cases with error message that the version of Windows does not compartible. I have E-mailed to Mcafee and got an answer that I have to use AOL (Amercian On-line) which I don't wish to. Can anybody advise me whether and how can I install Webscan under Win95 and Win3.11? Thanks & Regards Christopher Cheung ------------------------------ Date: Mon, 29 Jul 1996 18:36:27 +0000 (GMT) From: Ken Stieers Subject: Re: Possible Virus - Excel as Victim (WIN) X-Digest: Volume 9 : Issue 128 In article <0012.01I7M4A14ICKXZNAB2@csc.canterbury.ac.nz>, n.fitzgerald@csc.canterbury.ac.nz says... >Jimmy--what's the chance of reigning in the marketroids a bit?? Knowing the McAfee marketroids as I do, I'd say the chances are somewhere between slim and none, and Slim just died. Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prairie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Mon, 29 Jul 1996 21:53:27 -0400 From: Keith Peer Subject: Excel Laroux FREEWARE detection! (WIN) X-Digest: Volume 9 : Issue 128 AntiViral Toolkit Pro Mkiller v1.2 detects and removes known and unknown Word Macro viruses and detects and disables Excel macro virus LAROUX. FREEWARE! ================================ Protect yourself today with AVP! ================================ You can get a copy of the program from the following Web sites: www.command-hq.com/command www.datarescue.com www.metro.ch ftp://ftp.command-hq.com/pub/command/avp/mkillr12.zip Keith - - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Brunswick, Ohio 44212 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command Phone: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Tue, 30 Jul 1996 06:16:02 -0400 From: Dennis Hoyle Subject: Webscan (WIN) X-Digest: Volume 9 : Issue 128 When I download a file, webscan opens and appears to scan the file. It then closes without asking me where to store the file. Any suggestions would be appreciated. ------------------------------ Date: Tue, 30 Jul 1996 12:53 +0000 From: Graham Cluley Subject: Re: Possible Virus - Excel as Victim (WIN) X-Digest: Volume 9 : Issue 128 In-Reply-To: <01I7OJ6IVRF0XZNVMZ@csc.canterbury.ac.nz> dgpile@sprynet.com writes: > Asked by our firm to investigate Excel spreadsheet macro or other > viruses I've found that almost simultaneously there is now discussion > of just such a thing. > > My initial visits to the AV forum on CIS, including McAfee's section, > and various web sites, inlcuding McAfee's, turned up nothing. Twenty or so anti-virus vendors hang out on GO NCSAVIRUS on CompuServe. You'll find discussion of the Excel macro virus and all the anti-viruses you'll ever need there. See you there. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Tue, 30 Jul 1996 12:58 +0000 From: Graham Cluley Subject: Re: Possible Virus - Excel as Victim (WIN) X-Digest: Volume 9 : Issue 128 In-Reply-To: <01I7OJ6IVRF0XZNVMZ@csc.canterbury.ac.nz> I have some sympathy with Jimmy Kuo of McAfee and his recent posting regarding the Laroux press release issued by his company. It is difficult to explain technical issues to PR people and try and explain to them that actually it isn't a good idea to hype things up. Eventually they learn (or they get the boot). Another problem is what the general non-computing media then do with the news; I've just been implicated in one newspaper as suggesting that Laroux might cause near disaster in the City of London (somewhat of a deviation from the context in which I was speaking). Luckily resources like virus-l/comp.virus enable us to speak to our users directly and hopefully calm some of the panic in these situations. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Mon, 29 Jul 1996 14:10:29 -0400 From: Susan Flynn Hummel Subject: Recovering FAT info (PC) X-Digest: Volume 9 : Issue 128 A friend who is a writer has lost part of his latest book due the Michelangelo/Stoned viruses. He has a 286 with a C drive and runs DOS. He is able to locate the blocks for his book, but the FAT file has been clobbered. (He also runs Superstore, which I understand maintains a compressed "D" drive on the C drive.) Is there anything that he can do yo recover the file? If he has options, what are the pros and cons? Thanks very much for your help. Please respond directly to: hummel@mono.poly.edu as I do not subscribe to this list. - -Susan ------------------------------ Date: Mon, 29 Jul 1996 20:40:05 +0000 (GMT) From: Shane Coursen Subject: Re: HELP: I have been attacked by virues's (PC) X-Digest: Volume 9 : Issue 128 In article <0027.01I7M4A14ICKXZNAB2@csc.canterbury.ac.nz>, ccurryt@tpgi.com.au says... >Please can someone clarify for my a problem I have just had with a virues >attack. I run three pentiums with win 95 on a network. One computer is >conected to a dedicated modem line. Yesterday I came in and the unit with >the modem had over twenty virues on it, it totaly killed my machine and I >am going to have to format the had drive again. there are three >posibilities that I can think of that allowed the virses to catch me. > >ONE - some one put them on there. dont think so as Have been no foreign >disk for a long time and I always check them for viuses any way (will fix >by putting 3.1/2 inch disk locks on just incase I have a sabator) It is certainly possible that somebody came over to the machine, plugged in a disk with a bunch of viruses, and let them loose. Depending on your Win95 settings, and the communications software you are running, it is also possible that somebody got into your system electronically. >TWO - Norton anti virues went crazy (do not think so system behaved >exactly the same as a previous virues attack ((rna virues)) Here is a few questions for you: Which version of NAV are your running? Please let me know the date *and* time stamp *and* filesize of the main NAV executable (NAV.EXE, NAVW.EXE, or NAVW32.EXE.) Next, what definition update set are you using? If you are not using the latest set (08NAV96A.EXE), please download it from http://www.symantec.com/avcenter. Please answer both questions as mixing and old def set with a later version of NAV (and vis-a-vis) can produce its own difficulties. >THREE - virues came in over the internet. I have not downloaded unknown >EXE files. therefor the only thing I can think of is that I was Hacked >and the viruses were put in by someone. What I would like to know is "is >it posable for someone to access my machine even though I had no internet >type software running??? this is my question) It is possible for you to share resources - files/folders, etc with outside computers. When you get a chance, click on a empty spot on your desktop, press F1 (help), click on the Index tab, and type "Shar" (without the quotes.) There is a lot of good info on how to give/restrict access. - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher Symantec AntiVirus Research Center ------------------------------ Date: Mon, 29 Jul 1996 18:33:52 +0000 (GMT) From: Iolo Davidson Subject: Re: Definition of Form virus (PC) X-Digest: Volume 9 : Issue 128 In article <0022.01I7M4A14ICKXZNAB2@csc.canterbury.ac.nz> Robert@thehulls.demon.co.uk "Robert HULL" writes: > [Moderator's note: On further checking I found a couple more descriptions > supporting the 18th and one saying 24th! These three all agreed however, > that Form is relatively benign. If you followup this post, -please- > address the disagreement over the date--don't just post your favourite > Form description.] Decimal 24 is hex 18. Dr Solomon's Virus Encyclopaedia also gives the 18th. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Mon, 29 Jul 1996 21:45:58 -0400 From: a000 Subject: Re: F-Prot comments (PC) X-Digest: Volume 9 : Issue 128 : 1) I just installed F-Prot Pro '95 v2.22.2 (demo version) about 2 hours : ago. And one of the first things I noticed is that the installation : needs a lot of work. First, run the distribution file. Then run one of : the setup .bat files. Then run "setup.exe." And each time, I'm : prompted for a new destination directory? Good point. I'll forward this to our product manager. : 2) Is there an easy way for on-demand to work? The really nice thing : about McAfee is that you can set it to add a "scan" option in the : context menu in Explorer, and it will then scan the current folder and : its sub-folders. I'll pass this one along to the product manager as well. : 3) Is there a way to turn off the splash screen? No. But since you may not be the only one who would like this, I'll pass this along too. :) Sarah Gordon Command Software Systems - - i work for Command Software Systems. we are the F-PROT Professional people. these are my own thoughts. they are not representative of my Employer, my University, my Government or my Husband. Maybe they should be. But they aren't! if they are, i'll mention it clearly. else assume i speak for myself!!!!!!!!!! ------------------------------ Date: Mon, 29 Jul 1996 22:13:03 -0400 From: Bill lambdin Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 128 Bruce Burrell writes > Well, he chose to test only a bunch of viruses from issues of VLAD. >That may say something about the design of the test, but he wasn't able to >replicate 4000 viruses because there were only about 30 or so that met his >criterion. Wrong: Apparently we are referring to different tests. I am referring to the "test" he published in the "Houston Chronicle" (Sorry. I do not recall the date of publication, but it should be over a year ago) where he reported that he tested most A-V programs with 4000 viruses in 6000 infected files, and according to his test InVircible beat them all. I continued to see this article long after I was tired of reading the drivel. This "review" was published to Compuserve, and forwarded to FIDO, Wild Net, WME Net, and other conferences that I read at the time. I didn't say this before, but I believe this test was a complete fabrication IMHO. I say this because I have tested IV myself, and IV has failed both as a generic A-V program, and as a scanner. IV's Generic failure. I didn't need to use 4000 viruses to demonstrate IV's weaknesses. The generic routines in IV demonstrably failed my tests, and I used less than 20 viruses before IV failed miserably. IV's scanner failure. I refuse to recommend any scanner unless it detects a minimum of 90% of my collection. IVscan (InVircible's Scanner component) detected only 15% of my collection. Am I supposed to ignore my own results when they directly oppose Mr Williams results, and mesh with other reviews that were published after I started complaining about security problems in IV. Either my results are correct as I claim they are, or I am very persuasive with people that I have never met. For users wondering which test to believe, ask yourself which results include the following, and which is asking you to take their word for it. a. 32 bit CRC values for the archive tested b. description of the test machine c. CARO (Computer Anti-Virus Research Organization) names for the viruses used in the test (for identification purposes) d. The exact responces IV modules reported while detecting or not detecting the viruses that were present. In addition to the four items above there are included in my test results, I also signed the document with my PGP key, so users with my key can verify that I really wrote it, and the document remains unmodified. > If you think the test was poorly designed in its test set, fine. He said IV was tested with 4000 viruses. I doubt either the scanner, or generic A-V component come in first place, unless most of these 4000 viruses were false alarms. > But it's unfair to criticize it for what it did not pretend to be: a >test of many viruses. It never claimed to be, so you can't rag on it for >the viruses you mentioned (that I snipped) which have unusual trigger >conditions. That would be like me criticizing your reviews for not >solving the National Debt, or, to keep it closer to on topic, for not >proving that hardware-damaging viruses can't exist. ;-) Bruce: Any credible test should have replicable results. I have not seen anyone reach similar conclusions, In fact every test except for Mr Williams test(s) I have seen has agreed with my conclusions. I have tested IV four times on computers from 10 MHZ 8088 - 33 MHZ 486, and IV has failed every time. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 30 Jul 1996 04:46:59 +0000 (GMT) From: Sung Moo Yang Subject: Re: Help: The bad sectors in my NEC HD are growing! (PC) X-Digest: Volume 9 : Issue 128 "Chengi J. Kuo" wrote: >eike writes: >>Chia-yin Shih (chiayin@u.washington.edu) wrote: >>: Even if I do ScanDisk immediately after I just finish one, the number of >>: clusters containing bad bytes will still increase. This abnormal thing >>: does not happen to my other two hard drive (one Maxtor and one >>: Samsung), so I think it should be the NEC drive which has gone wrong. ... >This is a good assessment. Generally, if the head is terribly misaligned >or failing (almost scratching the disk), any new place it writes to is a >new bad sector. > >So, as soon as you can, use it only to read whatever data you have and >back it up. I never knew that hard disk drive's head can physically touch and scatch the disk. However, It not clear that if the mis-alignment of head causes bad sector, FAT should also have been damaged as the head scrached on FAT area; but it appears to be fine. Is it possible that the mis-alignment can affect rear part of disk? Sung Moo ------------------------------ Date: Tue, 30 Jul 1996 00:32:02 -0600 From: George Wenzel Subject: Re: McAfee (PC) X-Digest: Volume 9 : Issue 128 In article <0013.01I7OJ6IVRF0XZNVMZ@csc.canterbury.ac.nz>, mzienkie@MTS.Net says... >For those out there looking for a good virus detector/remover, I strongly >recommend the latest shareware or retail versions of McAfee VirusScan. I consider McAfee to be a good product, but it seems like it has a fairly high false alarm rate (judging from complaints in alt.comp.virus). While false alarms aren't a big problem for the home user, they can be a HUGE problem in a corporate environment. >They have easily removed all viruses me or my friends have ever had >(including BOZA) You shouldn't use your personal experiences as your marker for how good a program is. Hypothetically speaking, GrottyScan (generic scanner name, not meant to mock McAfee) could clean up only the three viruses that you catch, but because it can clean those viruses, you view it as a great program, when it's not. It's a much better practice to read independent comparative reviews, and make your judgements based on those. I'm not saying that McAfee is bad, but it isn't good just because it can clean up Boza. >and I have never had a problem with the program. And for >those who hate McAfee because of the fact that VShield slows the system >down, well, I hate it too. But keep in mind: there is such a thing as >being "virus-paranoid". Using a TSR isn't being paranoid - it's using common sense. There are TSR's that work as well as VShield, but are faster. I recommend a VxD if anybody's using Windows, as VxD's have considerably less of an impact on the system speed. >If you scan all new programs you get with a >signature scanner there should be no need for TSR protection. Yes, but I trust an on-access scanner more than I trust my own memory. Can you be sure that you scan EVERY incoming file and EVERY incoming disk? I'd prefer to use a good on-access scanner, and not worry about it. Regards, George Wenzel - - |\ zz _,,,--,,_ ,) George Wenzel /,`.-'`' -, ;-;;' |,4- ) )-,_ ) /\ U of A Karate Club Homepage: <---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Mon, 29 Jul 1996 23:42:14 -0700 From: Mark Subject: Immune II - Someone who knows? (PC) X-Digest: Volume 9 : Issue 128 Could someone who really knows please comment on how good Immune II is? I've read some posts where people have "speculated" that it is similar to I think it was PC-cillin or Virucide or something...but have yet to read a post from someone who really understands how Immune II works, and has tried it. I noticed that Comp USA is now selling it and am interested in getting a few more opinions. Thank You, Mark ------------------------------ Date: Tue, 30 Jul 1996 08:12:49 +0000 (GMT) From: Bruce Burrell Subject: Re: Virus that hides in bad sectors? (PC) X-Digest: Volume 9 : Issue 128 James MacDonald (James@netbook.demon.co.uk) wrote: > In article <0025.01I7JMM1WFCIXZNAB2@csc.canterbury.ac.nz>, Matthew > Hudson writes > >I want to know if anyone had had an incident with a virus that > >cretes a bad sector on your HD then hides there ? > > > >I have HAD a virus that does this. The current anti-virus software > >(at that time) couldn't detect the virus in a bad sector because all > >of the popular disk utility software out marked it as bad then the > >v-scan software overlooked it. Also the one I had was a tricky > >little booger, if a disk utility program tried to recover the sector, > >then the virus locked up the program. I ridded myself of the problem > >"REEEEE FORMAT". > > > >I was told by a computer guru that thee was no such virus and that a > >virus couldn't do that. Thus the post. More discussion and information > >thaan anything. > > Of course viruses can do that. Your 'computer guru' had better lose his > guru title. 'Computer BooBoo' might be better. If a virus infects your > MBR and it would like to put the original MBR somewhere to pass control > to it this is what it does... [snip] > Whilst in memory the virus: > *************************** > > Moves original MBR from original sector to another one > Marks sector as arbitrarily bad to avoid overwriting of it by DOS@ [snip] I agree that a virus *could* do this, but can you name any common ones that actually -do- this? > @ - DOS will never overwrite an MBR but because the original MBR is in a > sector not recognized as MBR space it could overwrite it. [snip] The MBR infectors I'm familiar with write the MBR to Cylinder 0, Head 0, which is almost never part of any partition. Hence DOS doesn't know that anything on (0,0,x) is there and will never overwrite it (except with FDISK or a utility). Hence there is no need to mark a cluster as unused, because the sector where the MBR is stored isn't part of *any* DOS cluster. A few MBR infectors don't even store a copy, and the DBS infectors I've encountered still store on (0,0,x) on hard drives, though FORM does mark a cluster (or two) bad on floppies. Bottom line: a virus certainly could mark sectors bad on a hard drive, but at present the virus guru mentioned above probably gets to keep his or her title. Probably only the super gurus -- or the statistics geeks who have nothing better to do than read virus encyclopedias on the web -- know of BSI infectors that actually mark clusters bad. [If anyone has examples, please educate me. Remember, though, that Icelandic isn't a BSI.] -BPB ------------------------------ Date: Tue, 30 Jul 1996 08:25:19 +0000 (GMT) From: Bruce Burrell Subject: Re: Boot Virus on DDO drive (PC) X-Digest: Volume 9 : Issue 128 Tim Glen (timg@algorithms.com) wrote: > I just got a boot sector virus on my 1.5 GB drive that I have > WD's Dynamic Drive Overlay on. I used a clean DOS boot disk and > then ran Mcafee's DOS SCAN on the drive and cleaned the virus, > but I am getting a Dynamnic Drive Overlay Integrety Error, when the > system first boots up. I also tried fdisk /mbr. > > Any ideas. Reinstall the DDO. You may have to contact the writer of the driver (OnTrack or MicroHouse, probably) to do that, or try WD directly. If the MBR was restored correctly, you should be successful; if not, it's probably time for a data recovery. Let's hope it's the former. -BPB ------------------------------ Date: Tue, 30 Jul 1996 10:40:39 +0100 From: "David W. Hanson" Subject: Re: Virus Standards for a 5 pc network (PC) X-Digest: Volume 9 : Issue 128 > From: ruben@ralp.satlink.net > Sat, 27 Jul 1996 12:11:22 +0000 (GMT) Jim Hughes > wrote: >> My town is installing a 5 pc(dos/win 3.1 or win 95) >> network(Novell). >> >> They asked me to investigate virus protection policies. I don't >> deal with virus protection and would like suggestions from those >> with the experience. > I Environment Solution > - > -------------------------------------------------------------------- > --- 1) Server ............... (Find a *.nlm AV module to <> > 2) Workstations ............... TSR's or VxD (Depending if > You're The number one step for protecting workstations is to disable booting from diskette in the BIOS setup! David Hanson Armed Forces Recreation Center Europe Garmisch-Partenkirchen Germany hansond@afrc.garmisch.army.mil ------------------------------ Date: Tue, 30 Jul 1996 08:21:27 -0400 From: "Bob Witham Jr." Subject: Re: NYB Virus problems on EISA machine!! (PC) X-Digest: Volume 9 : Issue 128 Iolo Davidson wrote: > In article <0026.01I7JMM1WFCIXZNAB2@csc.canterbury.ac.nz> > r.gottet.cnet@spectraweb.ch "Roger Gottet" writes: > > > We tried to remove a NYB Virus with a clean boot-diskette. But after > > each scan the virus showed up again in the memory. FWIW, I just recently went through a cleanup of NYB on several PCs in one of our agencies. We use McAfee AV. My normal procedure for detection/cleanup is to boot clean (using a DOS 6.2 diskette) then do a scan of the entire HD. If I detect a boot sector virus, I can do a scan c: /clean /boot. When I did the inital scan, I got no viruses found in memory, and then a notice that NYB was on the boot sector. I then tried the scan to clean, and got a message saying the virus was in memory. I did another clean boot, ran the scan /clean first, then did a second scan to prove to the user that the virus was gone, and got the NYB in memory message again. Talk about embarassed. Here I am, trying to convince this user that I know what I'm doing and that the software works, and I keep getting messages that the drive is still infected. I finally determined that it was a ghost image because it would not infect diskettes. Also, after a few disk access commands (dir, copy, etc.) the virus "disappeared" from memory. I have not run into this problem with any other boot sector virus though, specifically, ANTIEXE, MONKEY_A, STEALTH_C, Junkie (boot portion). I am not sure if these were EISA machines, but I have cleaned other non EISA bus machines using the same technique and have not had the ghost image problem. Anyone know if EISA bus machines have this problem? Does anyone have an EISA machine to test this? Bob Witham Jr. Info Sys Security Analyst Bureau of Information Services State of Maine ------------------------------ Date: Tue, 30 Jul 1996 11:10:20 -0400 From: Mike Gardiner Subject: Re: Boot Virus on DDO drive (PC) X-Digest: Volume 9 : Issue 128 Tim Glen wrote: > I just got a boot sector virus on my 1.5 GB drive that I have > WD's Dynamic Drive Overlay on. I used a clean DOS boot disk and > then ran Mcafee's DOS SCAN on the drive and cleaned the virus, > but I am getting a Dynamnic Drive Overlay Integrety Error, when the > system first boots up. I also tried fdisk /mbr. Run the install process for your DDO again, see if it has an option for restoring or upgrading the DDO. I used this trick to clear out a BSV using OnTrack DDO software. (Upgrading may sound odd, but if there is no restore function, it may be the only thing that works.) - - ======================================================= Mike Gardiner mgardine@ford.com My opinions only. Ford can speak for itself quite well without my help. ------------------------------ Date: Tue, 30 Jul 1996 15:30:48 +0000 (GMT) From: Ken Stieers Subject: Re: Boot Virus on DDO drive (PC) X-Digest: Volume 9 : Issue 128 Call our tech support at (612)937-2121. The virus corrupted the DDO code that we place on the drive. It can be fixed, but for version 6.03 (currently shipping with WD drives) its a little complicated, so it would be best for you to give us a call. BTW, FDISK /MBR is NOT the solution. It overwrites the custom MBR that DM installs and therefore can interfere with proper access of your drive. In this case it had no effect good or bad, but its not a good idea to continue to use it. Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prairie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Tue, 30 Jul 1996 17:39:43 +0000 (GMT) From: woody@diversicomm.com Subject: Re: Newbie's computer infected!!--Matura?? (PC) X-Digest: Volume 9 : Issue 128 frances@singnet.com.sg wrote: >I've not experienced a virus before, neither am I very good >with computers. Few days ago, I got this experience when I >downloaded a freeware from the Internet. The download came >with 2 things, one was the freeware itself and the other is >a *.com type file. When I click it, a MS-Dos windows >appeared with half the window full of little smiling >faces moving around and changing colors. A weired song also >accompanied it. > >Two days later, my computer started experiencing error >messages more and more often. Now I couldn't even restart >in MS-DOS when I quit Windows. I have to reboot my system >I tried scanning with all types of latest version of >Antivirus program but they didn't detect it. I knew it was >there, but could do nothing. > >Once my pc told me I had a active virus called **MATURA** >in my system, I don't know why the message appears, It >doesn't seem to be from my AV program. I'm lost. Now I had to >format my harddisk. Can you guys help come up with a better >solution?? I am using a pentium 120 with Windows 95 and >McAfee AV. First of all did you 'boot clean'? If not, go to a system you know to be clean, format a diskette and add the /s switch to the format command to make the disk bootable. Now, put your AV program (again from a clean machine and a clean AV program disk or file) on the disk. Write protect the disk. Go back to your machine and turn it off. Put the disk in the machine and turn the machine on. After the system boots run the AV program. This is the proper way to scan your system. Once the system is clean THEN put the AV program on the system and use it for scanning new incoming files, diskettes, or new uncompressed files. MATURA is a NON-resident COM infector. So after you clean your system, scann every disk that you have introduced to the system. Good luck Regards Gulf Coast Anti Virus Biloxi Mississippi Woody@diversicomm.com or The Scanner - SNR@aol.com ------------------------------ Date: Tue, 30 Jul 1996 17:47:34 +0000 (GMT) From: woody@diversicomm.com Subject: Re: AntiExe plus MonkeyB (PC) X-Digest: Volume 9 : Issue 128 Bob Babcock wrote: >> You should have gotten a current antivirus program, like F-PROT, DSAV, >> AVP, or TBAV. There is a list of vendors and URLs in the alt.comp.virus >> FAQ; download it from ftp://ftp.icnet.uk/icrf-public/acv.FAQ >> >> Then create a clean boot disk and use it to start your machine; use the >> AV software to remove the infection. With Monkey, the hard drive won't be >> visible, as you mention; no matter, since the software will be able to >> find the hard drive. > >F-prot 2.23a was unable to remove the double infection, although it is >able to handle either virus individually. Having messed up the hard disk >to the point where a reformat was needed, I cannot now try other scanners. >(I did save all user files before experimenting, so this wasn't the >disaster it could have been.) I assume it was Anitexe over Monkey for the nfection. You can prevent this from happening in the future if you use F-Prot's VIRSTOP. VIRSTOP will alert you the minute a diskette is placed in the drive that is infected as soon as you either try to run a file from the disk or you just change drives to the floppy drive. Regards Gulf Coast Anti Virus Biloxi Mississippi Woody@diversicomm.com or The Scanner - SNR@aol.com ------------------------------ Date: Tue, 30 Jul 1996 17:59:15 +0000 (GMT) From: woody@diversicomm.com Subject: Re: AntiExe plus MonkeyB (PC) X-Digest: Volume 9 : Issue 128 driller@winthrop.slic.com wrote: >Bob Babcock wrote: >>I tried to disinfect a PC which was infected with both AntiExe and >>Stoned.Empire.Monkey.B. All user files were first recovered by zipping to >>a network drive and restoring onto another PC, so I was willing to >>experiment to see what might work if a similarly infected PC were to show >>up. > >Sorry to add to this one but a friend has the same problem and we're >at our wits end to clean the damn thing. The virus has apparently >gotten into the guys floppy drive config or something because now he >can't seem to use anything to boot in order to clean the virus off >anywhere. He had it once and thought he cleaned it but alas, such was >not the case. > >We need a virus genius here to help us out. ANy applicants? It's the >Stoned.Monky.B virus mentioned above too. No other ones seem to be >present. I am by NO means a genius but I believe I might be able to help. SCAN may very well be able to remove the double infection. It is more than likely AntiEXE over Monkey. Meaning Monkey was the first infection then Antiexe was added. SCAN 2.2.12 was able to fix NYB over Monkey where a few of the others were not able to do so. Dr. Solomon's worked too. The two other programs I normally use were not effective against the double infection with NYB over MONKEY but did work with Monkey over NYB. The authors of the programs were notified and have since cxorrected the situation. SO, try SCAN or Dr. Solomon's. >Oh yeah.... we really need it in simple terms too. We can do the job >but we're not wizards. >Thanks folks for any help we recieve. >Doug >[Moderator's note: You say you have the same problem, but then thatyou >only have Monkey. If so, three things... > >(1) -Any- half-decent, -current- THw eek before last I encounters two cases of the NYB over Monkey. This really caused a lot of trouble with someof the more popular and better programs. >(2) If stuck, try to find KILLMNK3.ZIP--it contains a Monkey-specific >fixer. I am afraid this is one that even Killmonk3 couldn't handle the double infector with Monkey being the inner infection in the case of NYB over Monkey. ( I will assume that this will be the case with ANtiEXE over Monkey,. ) Wallace Hale and I tried and it didn't do the job. First time ever I have had Killmonk3 fail. Wallace notified TImMartin of the situation. Tim said there was a certain situation where Killmonk wouldn't work and I believe we found it. It will find fragements of it but not the whole thing and as a result can not handle it ------------------------------ Date: Wed, 31 Jul 1996 11:19:00 +1000 From: Kai-Yu Jiang Subject: Virus from China, help (PC) X-Digest: Volume 9 : Issue 128 I got a cdrom for Chinese version window95 to upgrade my original window3.1. When I tried to install the win95. The computer failed to read at first, then I tried it second time, this time the computer made a lot of noise. And then I found a text file called readnow.txt: This kick ass warez was brought to you by hell god. etc... I tried three command: dir/w; more < readme.txt; more < readnow.txt I installed mcafee's vshield and scan used for lan in our university. It couldn't find the virus. I tried Dr solomon's software, still not working. My computer was a pentium 120. The virus slowed it down as a 286. It also created serveral hidden files if not enlarged them. Finally my d: drive for cd was not working any more, it seemed that the driver was deleted. Would any expert in this area please give me some advice on how to deal with it? Thanking you in advance. My email is s2149689@cse.unsw.edu.au Cheers ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 128] ******************************************