VIRUS-L Digest Friday, 2 Aug 1996 Volume 9 : Issue 129 Today's Topics: Re: How to handle viruses in a Dorm-net? Re: About need of 'clean' booting before scanning process Re: About need of 'clean' booting before scanning process Re: How to handle viruses in a Dorm-net? OYSTER from Chile Re: UNIX virus (sigh...) (UNIX) Anticmos.A on Netware server (NW) Re: NAV scanning a drive at shutdown (WIN95) Re: NAV scanning a drive at shutdown (WIN95) Re: NAV scanning a drive at shutdown (WIN95) Re: NAV scanning a drive at shutdown (WIN95) Re: TBAV ExcelMacro/Laroux Press Release (WIN) Re: Mcafee Webscan (WIN) Re: Windows program groups disappearing--virus? (WIN) NAV won't clean DaBoys--please help (PC) Advanced Disk Infoscope *ADINF* (PC) InVIrcible test(s) (PC) Re: Virus that hides in bad sectors? (PC) HLLC.Crawen.8306 virus (PC) Re: Virus from China, help (PC) Re: Recovering FAT info (PC) Re: Zvi's tests of Findviru.exe (PC) Re: Help: The bad sectors in my NEC HD are growing! (PC) Re: Definition of Form virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 31 Jul 1996 14:35:12 -0500 (EST) From: DWIGHT TUINSTRA Subject: Re: How to handle viruses in a Dorm-net? X-Digest: Volume 9 : Issue 129 Mark Raciborski wrote: > We are planning to have our dorms wired for network use > fall semester. Each student will be able to connect their own > PC to our Dorm-Net using TCP/IP. Our Telecommunication Director > has sent out an urgent requirement that the school will need > to supply the student with "virus" software before we connect > their machines into the network, that there is some risk > of infection. Is anyone running a Dorm-Net? What kind of > risk from viruses should we be having anxiety over? We are dealing with (almost exactly!) the same issue. We will have several hundred students (the new frosh) wired to the Net via ethernet in their dorm rooms. We run a large Novell network with about 10 servers, as well as numerous UNIX-based servers and workstations. I am anticipating installing several NT-based intranet servers in the next half year. Furthermore, every student has a PC in their room (only the frosh have direct Net cnxs), and there are around 100 public-access PCs around campus. Add to that all the faculty and staff PCs, and it's quite a mix. Existing AV has been largely up to the user, and protection on individual machines ranges from nil to very good. Users can easily get copies of (the public-domain version of) F-PROT here on campus, and one of the consultants has pushed McAfee to the administrative users. Furthermore, many of the frosh will be buying computers from the uni- versity. These have manufacturer-supplied software bundles that include either Norton AV or IBM AV. I've been following VIRUS-L and surfing the various vendors' web sites. It seems clear that Dr. Solomon's and F-PROT Pro (non-shareware version, distributed by Command Systems) are the best choices: consistently high ratings for detection for all classes of viruses; responsive support; active presence of technical people (and not marketdroids, the case with McAfee) on VIRUS-L; variety of systems covered; win95-specific versions with win95 interfaces available. I've contacted each and arranged to receive evaluation packages. Although it's still forming, my idea of an overall AV strategy is below. 1) Campus-wide, all-platform site license for one of the major AV utilities. 2) Five to ten-package purchase of one of the other major utilities. This gives us another level of disinfection should a new virus evade the detection/disenfection capabilities of the primary AV tool. The packages that users may own provide yet another layer. 3) Rollout of AV strategy includes general user education including the threat (but not in a panic-inducing way); the tools we've settled on (and why); how they can get and install the tools; how the tools can (and cannot!) be used in conjunction with AV tools they already have on their machines; and what to do if they suspect a virus attack or simply want more info. 4) Rollout includes making the primary AV tool from (1) EXTREMELY easy to get and install. 5) Training of response teams (student computer consultants) in use of tools from (1) and (2) to respond to virus attacks and outbreaks. In the case of the secondary tool, they use it to disinfect only, or install full protection only long enough to contain the outbreak --- so as not to beak the license terms. 6) Installation or upgrade of AV tools protecting the Novell, NT, and other servers. 7) Investigation regarding load-from-server AV modules, so that all machines connecting to a server are automatically updated. If this is politically or technically difficult, we will have to rely primarily on user initiative from (3) and (4). Even so, attempt to get pre-approval from management to switch to a load- from-server network behavior in the event of a virus outbreak that user-level efforts cannot contain ... and have the tools already configured for this eventuality. 8) Assign (or take on) responsibility to monitor VIRUS-L, web sites of vendors of tools (1) and (2), and possibly other sources of AV information. Monitoring of VIRUS-L should be daily, the others at least weekly; this monitoring may be part of the official job description of the person doing it. 9) Find and use public-information outlets to keep the campus community up-to-date on new virus threats or changes to the AV strategy/tools. Such outlets would include staff and dorm newsletters, public bulletin boards (physical), the campus newspaper, log-on messages, and campus websites. Comparing the licensing schemes of Dr. Solomon's and F-PROT Pro, Dr. S is much friendlier to the kind of "global campus" licensing that is needed to implement point (1) on a campus where the campus computing center has little control over the type and number of computers on campus, their location, and their use. Dr. S is one-fee-covers-all for not only numbers but also the operating systems. F-PROT Pro uses a per-seat, specify-the-quantity-for-each-OS model ... they do have "global" licenses, but they are prohibitively expensive. But this is a price comparison only; other considerations (such as availability of 7x24 support, price of extra manuals, campus politics, or your ability to cut a good deal) may affect your decision. Hope this helps ... (and thanks for providing the impetus to get my thoughts written down). --dwight tuinstra +-----------------------------------------------------------+ | dwight tuinstra tuinstra@draco.clarkson.edu | | academic computing consultant voice: 315-268-2292 | | clarkson university, potsdam ny, usa fax: 268-6570 | +-----------------------------------------------------------+ ------------------------------ Date: Wed, 31 Jul 1996 19:26:28 +0000 (GMT) From: Chris Quirke Subject: Re: About need of 'clean' booting before scanning process X-Digest: Volume 9 : Issue 129 Fridrik Skulason wrote: >In <0003.01I7I6IDJTBMXZNAB2@csc.canterbury.ac.nz> Gerard Mannig > writes: > >>1 - After my statement ' No, you misundertood me. As exposed above, V.6000 >>virus is *active* after a clean boot even if you run no executable file >>from infected HD' >>you answer that is not possible if I have *really* booted clean > >Indeed. What you are talking about is not a clean boot, but a "dirty" >boot that the user thinks is a clean boot....an entirely different thing. 3 possibles; 1) Ctrl-Alt-Del is survivable; use Reset button or power off 2) Check CMOS A: definition on the way in, if set to "None", HD will get there first and "pretend" to boot off A: (also boot order must be A:,C:) 3) Make sure you aren't booting off a LAN card ------------------------------ Date: Wed, 31 Jul 1996 20:03:29 +0000 (GMT) From: Iolo Davidson Subject: Re: About need of 'clean' booting before scanning process X-Digest: Volume 9 : Issue 129 In article <0003.01I7QJURLX4UXZNVMZ@csc.canterbury.ac.nz> mannig@world-net.sct.fr "Gerard Mannig" writes: > Fridrik Skulason said : > > >>Indeed. What you are talking about is not a clean boot, but a "dirty" > >>boot that the user thinks is a clean boot....an entirely different thing. > > Yep. But a so-called 'clean boot' is defined this way in VIRUS-L by tens > of people so, as you said yourself, this is a "dirty" boot that the user > thinks is a clean boot...and got infected by some viruses like ExeBug > and/or V.6000 > > I tried to smoothly explain this to Iolo Davidson in private to avoid > heavy discussions in this area but he very kindly put me in kill file. So, > he will never learn what I told in there ... That was a reaction to your mailing me copies of usenet posts. I have now changed my headers so that all replies to addresses therein will bounce. The main purpose is to thwart the recent glut of junk mailers. If you want to mail me, you will have to do something non-automatic, but you are no longer in my mailkill file. > I tried to exchange private Emails with Iolo > Davidson, my main contradictor. It appears that war between > France and Great Britain restarts Wrong conclusion. I just don't like conducting the same discussion both publicly and privately. Or even different discussions on the same subject. There is only one person in my mailkill file based on content, besides the junk mailers, but I had several there who duplicated posts in mail. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Thu, 01 Aug 1996 03:00:30 +0000 (GMT) From: Bruce Burrell Subject: Re: How to handle viruses in a Dorm-net? X-Digest: Volume 9 : Issue 129 Mark Raciborski (mark@CS.WM.EDU) wrote: > We are planning to have our dorms wired for network use > fall semester. Each student will be able to connect their own > PC to our Dorm-Net using TCP/IP. Our Telecommunication Director > has sent out an urgent requirement that the school will need > to supply the student with "virus" software before we connect > their machines into the network, that there is some risk > of infection. Is anyone running a Dorm-Net? What kind of > risk from viruses should we be having anxiety over? You have the same risk that any user has on an individual computer, plus the added possibility of getting the network infected and having that infection spread to individual workstations. The size of that risk is based on what kind of network you have (Novell, Banyan, Windows for Workgroups,...), how well the file permissions are set, what kind of antivirus software is on the server (unless you're running a peer-to-peer network), and how secure each individual workstation is with regard to catching a virus. [Is Dorm-Net an actual network? If so, I'm not familiar with it, and my web search didn't turn up anything of interest.] In any event, you'll probably need to purchase some antivirus software. I'm sure the vendors will be along any moment to tell you how their products will fit into your scheme. -BPB ------------------------------ Date: Thu, 01 Aug 1996 03:02:24 -0400 From: pansovic Subject: OYSTER from Chile X-Digest: Volume 9 : Issue 129 Does anybody have experience in working with OYSTER (made by Chilean company Best-Business Engineering & Software Tools S.A. from Santiago de Chile)? It's advertised as "an immunizing that solves computer virus problems once and for all." Well, it's to good to be true or maybe not ... In Lak'ech, Gordana Yellow Rhythmic Human ------------------------------ Date: Wed, 31 Jul 1996 20:15:15 +0000 (GMT) From: Iolo Davidson Subject: Re: UNIX virus (sigh...) (UNIX) X-Digest: Volume 9 : Issue 129 In article <0008.01I7QJURLX4UXZNVMZ@csc.canterbury.ac.nz> sloppy@mack.rt66.com "John Millington" writes: > FWIW, disk encryption can help protect against this sort of thing. For > example, Patrick Ohly's program "DiskProtection" (although it's not a Unix > program, something _like_ it could be done for just about any OS) encrypts > entire disk partitions. For DOS, the equivalents are SecureDrive, SecureDevice, and SFS. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Wed, 31 Jul 1996 19:00:01 +0000 (GMT) From: rvalentine@brodeur.com Subject: Anticmos.A on Netware server (NW) X-Digest: Volume 9 : Issue 129 I have Norton for netware running on my Netware 3.12 server and it reports that it has found the Anticmos.A virus in the File DOS Server Memory and that it can't remove it. Does anyone know what can be done to remove this and if this could be affecting anything on my server. Thanks, Rob ------------------------------ Date: Wed, 31 Jul 1996 10:16:22 -0500 From: Dan Knudsen Subject: Re: NAV scanning a drive at shutdown (WIN95) X-Digest: Volume 9 : Issue 129 >I recently installed norton anti-virus for win95.I note that >every time I shut down the computer,the anti-virus program >scans the a drive,making an audible noise in the drive at the >time. Yeah, see sometimes you want to shutdown your computer and reboot it with a boot disk. Maybe you want to play a DOS game or something. You may believe this boot disk to be clean, because most people think that if you boot from a boot disk, it must be a clean boot. Not always so (but I digress). NAV (like some other AV programs) checks the A drive on shutdown because you might have a boot disk in there. If you do, it will offer to scan-clean-disinfect it. Try it. >1-is the program supposed to do this at each shutdown ?? Yes. >2-is there any potential for damage to the a(floppy) drive from >this. I doubt it. All it's doing is seeing if there's a disk in the drive. In your case, there isn't, so the function it calls returns an error code. Best to check with the FD's manufacturer, though. >there is a patch for the program there but no explanation as to >what the patch does and what it is supposed to fix. It's generally a good idea to install AV program updates. However, I do think patches should be documented. The only Symantec product I currently use is their C++ compiler, and the patches for that aren't too well documented either. Hope I helped. ====================================================================== Dan Knudsen support@infobahn.mb.ca Technical Consultant Phone : (204) 284-2467 Infobahn Access Services Fax : (204) 452-8679 ------------------------------ Date: Wed, 31 Jul 1996 10:36:28 -0500 From: Jonathan Williams Subject: Re: NAV scanning a drive at shutdown (WIN95) X-Digest: Volume 9 : Issue 129 zen wrote: > I recently installed norton anti-virus for win95.I note that > every time I shut down the computer,the anti-virus program > scans the a drive,making an audible noise in the drive at the > time. > > 1-is the program supposed to do this at each shutdown ?? > > 2-is there any potential for damage to the a(floppy) drive from > this. > > i have visited the symantec site and i don't see this addressed > there. > > there is a patch for the program there but no explanation as to > what the patch does and what it is supposed to fix. 1) The scanning of floppies for boot viruses at shutdown is a feature which can be enabled/disabled in options. It's useful if you can't disable booting from floppies (for some reason) and want to make sure you don't accidently leave an infected floppy in the drive for your computer to boot from. 2) I've had this feature enabled for close to 5 months on my system, with no ill effects. I imagine floppy drives are designed to not be damaged by access attempts when no disk is present. The patch for the program lets NAV scan for macroviruses. If your copy of NAV is older than Dec 1st, 1995 (NAV for Win95), Symantec says you need to update it using the patch. Jonathan jonvwill@iastate.edu ------------------------------ Date: Wed, 31 Jul 1996 20:58:12 +0000 (GMT) From: Iolo Davidson Subject: Re: NAV scanning a drive at shutdown (WIN95) X-Digest: Volume 9 : Issue 129 In article <0010.01I7QJURLX4UXZNVMZ@csc.canterbury.ac.nz> an6m@avery.med.virginia.edu "zen" writes: > I recently installed norton anti-virus for win95.I note that > every time I shut down the computer,the anti-virus program > scans the a drive,making an audible noise in the drive at the > time. It is just checking that you haven't left a possibly infected floppy in the drive, which would get booted off when you reset or next turn the computer back on. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Wed, 31 Jul 1996 23:27:57 +0000 (GMT) From: Shane Coursen Subject: Re: NAV scanning a drive at shutdown (WIN95) X-Digest: Volume 9 : Issue 129 In article <0010.01I7QJURLX4UXZNVMZ@csc.canterbury.ac.nz>, an6m@avery.med.virginia.edu says... >I recently installed norton anti-virus for win95.I note that >every time I shut down the computer,the anti-virus program >scans the a drive,making an audible noise in the drive at the >time. > >1-is the program supposed to do this at each shutdown ?? Yes >2-is there any potential for damage to the a(floppy) drive from >this. Damage the drive mechanism itself? Not likely. Of course, I suppose somebody might contend there is wear and tear over the lifetime of the drive. I'd reply that the wear and tear is so minimal as to not exist at all. :) >i have visited the symantec site and i don't see this addressed >there. True, but it is addressed in the NAV manual. Please note that disabling this feature is also covered in the NAV manual. >there is a patch for the program there but no explanation as to >what the patch does and what it is supposed to fix. As discussed in the AUG96.TXT file (and SEP96, OCT96, etc...) that accompanies the monthly definition update.... "If your installed version of Norton AntiVirus 3.0 (NAV.EXE or NAVW.EXE) is dated earlier than February 23, 1996, or your installed version of Norton AntiVirus for Windows 95 (NAVW32.EXE) is dated earlier than December 1, 1995, YOU NEED TO UPGRADE." Hope this helps! - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher Symantec AntiVirus Research Center ------------------------------ Date: Wed, 31 Jul 1996 20:49:02 +0000 (GMT) From: Iolo Davidson Subject: Re: TBAV ExcelMacro/Laroux Press Release (WIN) X-Digest: Volume 9 : Issue 129 In article <0013.01I7QJURLX4UXZNVMZ@csc.canterbury.ac.nz> bpb@stimpy.us.itd.umich.edu "Bruce Burrell" writes: > C.J. Mackay (101444.1435@compuserve.com) wrote: > > > Press Release: For immediate publication! > > > > First Microsoft Excel virus found "in the Wild"! === ThunderBYTE > > first to detect 'ExcelMacro/Laroux' > [snip] > > Will all the other companies who were first to detect this virus > please say so now, or forever hold their peace? I would like to be the first to announce that I haven't discovered this one yet. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Wed, 31 Jul 1996 21:00:21 +0000 (GMT) From: Iolo Davidson Subject: Re: Mcafee Webscan (WIN) X-Digest: Volume 9 : Issue 129 In article <0014.01I7QJURLX4UXZNVMZ@csc.canterbury.ac.nz> ckwc@wlink.net "Christopher Cheung" writes: > I have E-mailed to > Mcafee and got an answer that I have to use AOL (Amercian On-line) > which I don't wish to. Yike! Unreasonable or what? - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Wed, 31 Jul 1996 12:26:16 +0000 (GMT) From: Michael Sohmen Subject: Re: Windows program groups disappearing--virus? (WIN) X-Digest: Volume 9 : Issue 129 DarStec (darstec@aol.com) wrote: : In article <0014.01I6GON1RM2AWHYXII@csc.canterbury.ac.nz>, F/WIN : Anti-Virus Support/Ordering writes: : : >In <0028.01I6AA9C7DKOWHYXF7@csc.canterbury.ac.nz> "R. Zalk" : > writes: : > : >>I have the following problem, Program Groups in Windows 3.11 : >> are disappearing one by one when I load up. : >> : >>Does anyone know if this is a virus or just good ol' Microsoft. : >> I have run several AVs [latest versions] and no viruses found. : > : : So it could be a virus, or a hardware problem, or even corrupt disk : caching software. I'd like to see a follow up on this one. Disappearing groups are a standard malfunction on Window$ 3.1 - it happens from time to time - Ok it usually works if you set the groups' files to read-only, but is even deleted in this time. It's similar to "Device driver not found" startup messages - don't waste money to Virus detectioning programs when Windows isn't working like it is thought to.. Better solution: format your disk and install Linux - never get any virus. Cheers, Michael ------------------------------ Date: Tue, 30 Jul 1996 21:13:02 +0000 (LOCAL) From: Bon Allen Wier Subject: NAV won't clean DaBoys--please help (PC) X-Digest: Volume 9 : Issue 129 Why will Norton not clean this virus? Has anyone ever heard of it? I booted the machine with a "known to be clean" boot disk then ran NAV from the a: drive. NAV detects it and attempts to clean it but fails miserably. ------------------------------ Date: Wed, 31 Jul 1996 00:18:05 -0400 From: Bill lambdin Subject: Advanced Disk Infoscope *ADINF* (PC) X-Digest: Volume 9 : Issue 129 I have evaluated ADINF, and I have encountered a security problem. I have tried to E-Mail the author, and the mail bounces. If someone could have the author of ADINF get in touch with me, I would like for this security problem to be patched. I would prefer to hash out this security problem behind the scenes if possible instead of disclosing the security problem, and embarassing the author. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Wed, 31 Jul 1996 00:18:10 -0400 From: Bill lambdin Subject: InVIrcible test(s) (PC) X-Digest: Volume 9 : Issue 129 Today: Paul Williams contacted me via E-Mail, and sent what he claimed to be a copy of the test I criticized earlier. This test does not resemble the test I saw posted in 10 + various conferences I read. One of the following happened. a. this is a later test. b. the results sent to me were modified. c. Some InVircible fan modified the results before publishing this in every A-V conference I read. I do not know which category these results fall in. I want to read the origal results before continuing this debate. If the results I read were modified by someone else, I would like to offer a public appology to Mr. Williams. If someone has a copy of the Houston Chronicle the original results were published; contact me via E-Mail. - ------------------------------------------------------------------------------ In regards to the results Mr Williams forwarded today According to the text; Mr. Williams was tessting IV's generic removal of viruses. So I will only deal with IV's ability or inability to remove viruses in this portion of my responce. I have tested InVircible's ability to detect, and remove the viruses used in the test. In my results IV-4-WHL.TXT, I clearly label which viruses were successfully removed, and which were not removed. Lehigh.a IVB claimed that COMMAND.COM had been restored to it's original status when it had not. I included the MD5 Hash value for COMMAND.COM before infection, and the resulting MD5 Hash value after COMMAND.COM had been infected by this virus, and InVircible's attempt to remove the virus in my test results. The two MD5 hash values did not match, proving that COMMAND.COM had not been restored to it's original status. Mr. Netiv tried to excuse this failure by saying that COMMAND.COM had been restored to "Functional" status. There is a dramatic difference between Functiona; status, and "Original status. Virus 101 is where you "remove" the virus instead of leaving the virus in a cavity inside COMMAND.COM that causes alerts from other scanners evn though the 555 bytes of code inside COMMAND.COM would not be run. IVB restored the entrypont of COMMAND.COM instead of accomplishing the job it claimed to do. Some may call this removing viruss. It is NOT IMHO. Tremor InVircible neither detected Tremor nor cleaned the infected files. Pinky.952. InVircible detected one infected 952 byte file out of the 6 infected files. InVircible reported IVINIT.COM, but ignored the other 952 byte files, and mindlessly updated the integrity datafile to check the additional .COM files. Mr. Netiv (The author of InVircible) admitted that InVircible was in capable of removing the One Half virus, or overwriting viruses. I know for a fact that InVircible will not be able to remove viruses like Cruncher. Cruncher goes resident, and infects host files, then the host files are compressed with the diet algroithm. After the host files are compressed, InVircible's file signature no longer matches the file. InVircible will be able to report the files have changed, but unable to clean the infected files. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Wed, 31 Jul 1996 17:17:47 +0000 (GMT) From: Ken Stieers Subject: Re: Virus that hides in bad sectors? (PC) X-Digest: Volume 9 : Issue 129 If I remember correctly, Form marks some sectors bad at the end of the drive which is where the note about Corinne is stored. Ken - - Views expressed herein are not necessarily the views of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc. ******************************************************************* * Ken Stieers | Minneapolis - 1.800.872.2599 * * AV Research/Apps. Eng. | Los Angeles - 1.800.752.7557 * * Ontrack Computer Systems | Washington, D.C. - 1.800.650.2410 * * Ontrack Data Recovery | London - 0800 24 39 96 * * Eden Prairie, MN | Japan - 81.429.32-6365 * ******************************************************************* ------------------------------ Date: Wed, 31 Jul 1996 18:16:22 +0000 (GMT) From: Luca Bismondo Subject: HLLC.Crawen.8306 virus (PC) X-Digest: Volume 9 : Issue 129 my Win95 System was infected by HLLC.Crawen.8306 virus that Mcafee and Norton can't get away. It Infects all *.COM files and it will destroy my software in a wile if somebody don't help me. So, please, if somehone knows how to do with it replay to my help request at: soltec@protec.it Thank you !!! ------------------------------ Date: Wed, 31 Jul 1996 20:01:49 +0000 (GMT) From: x@ns.net Subject: Re: Virus from China, help (PC) X-Digest: Volume 9 : Issue 129 On 31 Jul 1996 09:34:07 -0000, Kai-Yu Jiang wrote: >I got a cdrom for Chinese version window95 to upgrade my original >window3.1. When I tried to install the win95. The computer failed >to read at first, then I tried it second time, this time the computer >made a lot of noise. And then I found a text file called readnow.txt: > > This kick ass warez was brought to you by hell god. etc... > >I tried three command: dir/w; more < readme.txt; more < readnow.txt <> Did you understand at the time that you were using a pirated program? If you did, then you kind of got what you deserved. Virus infections and warez go hand in hand. You need to get a good AV program and run it. LOL ------------------------------ Date: Wed, 31 Jul 1996 20:52:42 +0000 (GMT) From: Iolo Davidson Subject: Re: Recovering FAT info (PC) X-Digest: Volume 9 : Issue 129 In article <0020.01I7QJURLX4UXZNVMZ@csc.canterbury.ac.nz> hummel@mono.poly.edu "Susan Flynn Hummel" writes: > A friend who is a writer has lost part of his latest book due > the Michelangelo/Stoned viruses. He has a 286 with a C drive > and runs DOS. He is able to locate the blocks for his book, > but the FAT file has been clobbered. (He also runs Superstore, > which I understand maintains a compressed "D" drive on the C > drive.) Is there anything that he can do yo recover the file? > If he has options, what are the pros and cons? Sounds like a data recovery specialist may be able to recover at least some of it. The sectors he has located may not be the latest copy, but it would be better than nothing. If he is able to see the sectors, he is probably using something that could save them to a file on a floppy, so he might be able to rescue it himself, but do NOT do anything that will write to the hard disk. Disk recovery programs or the like may well wipe what is still left. I bet he backs up his work from now on. - - I JUST JOINED IS MY FACE RED? THE YOUNG MAN SAID NO! I USE A NUDIST CAMP Burma-Shave ------------------------------ Date: Thu, 01 Aug 1996 00:24:33 +0000 (GMT) From: Bruce Burrell Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 129 Bill lambdin (vfreak@skn.net) wrote: > Bruce Burrell writes > > Well, he chose to test only a bunch of viruses from issues of VLAD. > >That may say something about the design of the test, but he wasn't able to > >replicate 4000 viruses because there were only about 30 or so that met his > >criterion. > > Wrong: Apparently we are referring to different tests. I am referring to > the "test" he published in the "Houston Chronicle" (Sorry. I do not recall > the date of publication, but it should be over a year ago) where he > reported that he tested most A-V programs with 4000 viruses in 6000 > infected files, and according to his test InVircible beat them all. The article in the Houston Chronicle was written by one Mr. Dwight Silverman; it's dated 2/19/95, according to an InVircible web site. It *cites* results of Mr. Williams, but was not written by the latter. As far as I know, the actual test has not appeared in print [snip] > For users wondering which test to believe, ask yourself which results > include the following, and which is asking you to take their word for it. > > a. 32 bit CRC values for the archive tested Perhaps you should include the 32 bit CRC of the article you cite, to avoid confusion. > > If you think the test was poorly designed in its test set, fine. > > He said IV was tested with 4000 viruses. I doubt either the scanner, or > generic A-V component come in first place, unless most of these 4000 > viruses were false alarms. No, Mr. Silverman says that Mr. Williams infected 6,158 files with 4,013 different viruses. Perhaps (even "probably") that's what Mr. Williams says too, but there is a difference. Whatever; I tend to agree with your assessment, though it's a non-scientific analysis on my part. > > But it's unfair to criticize it for what it did not pretend to be: a > >test of many viruses. It never claimed to be, so you can't rag on it for > >the viruses you mentioned (that I snipped) which have unusual trigger > >conditions. That would be like me criticizing your reviews for not > >solving the National Debt, or, to keep it closer to on topic, for not > >proving that hardware-damaging viruses can't exist. ;-) > > Bruce: > > Any credible test should have replicable results. I have not seen anyone > reach similar conclusions, In fact every test except for Mr Williams > test(s) I have seen has agreed with my conclusions. Unless you've seen the actual test cited in the Houston Chronicle article, it would be exceedingly difficult to replicate the results -- the methods have not been released. > I have tested IV four times on computers from 10 MHZ 8088 - 33 MHZ 486, > and IV has failed every time. But your tests have been released for peer review, and I commend you for doing so. I was unaware that the Houston Chronicle article purported to present results of tests performed by Mr. Williams; thanks for providing a pointer that lead me to that fact. But the VLAD test was more recent, and certainly has gotten a lot more press in UseNet groups. Since I suspect few of us are mindreaders, please do us the courtesy of making a more explicit citation when there is the possibility of ambiguity. -BPB ------------------------------ Date: Thu, 01 Aug 1996 00:28:32 +0000 (GMT) From: Bruce Burrell Subject: Re: Help: The bad sectors in my NEC HD are growing! (PC) X-Digest: Volume 9 : Issue 129 Sung Moo Yang (yang@infoserve.net) wrote: > "Chengi J. Kuo" wrote: [snip] > >This is a good assessment. Generally, if the head is terribly misaligned > >or failing (almost scratching the disk), any new place it writes to is a > >new bad sector. > > > >So, as soon as you can, use it only to read whatever data you have and > >back it up. > > I never knew that hard disk drive's head can physically touch and scatch > the disk. However, It not clear that if the mis-alignment of head causes > bad sector, FAT should also have been damaged as the head scrached on FAT > area; but it appears to be fine. Note that he said "ALMOST scratch". The head should never touch while the platter is moving, and contemporary hard drive heads retract when power is lost. Older drive sometimes had an area where the heads were "parked", and allowed to touch the surface on a never-used area of the platters. > Is it possible that the mis-alignment can affect rear part of disk? Not sure what you mean by "rear part". -BPB ------------------------------ Date: Thu, 01 Aug 1996 15:16:01 +0000 (GMT) From: David Desrosiers Subject: Re: Definition of Form virus (PC) X-Digest: Volume 9 : Issue 129 Robert HULL wrote: > Hope you can help, I am a little confused about the characteristics > of the Form virus. > > A colleague was recently told he had passed this virus on a diskette to > someone else and asked for information about the thing. > Here's all the info I have on that one. Hope it helps: Virus Name: FORM-Virus Aliases: Form, Form Boot, FORM-18 V Status: Common Discovered: June 1990 Symptoms: BSC; clicking noise from system speaker Origin: Switzerland Eff Length: N/A Type Code: BR - Resident Boot Sector Infector Detection Method: ViruScan, F-Prot, NAV, Sweep, CPAV, AVTK, IBMAV, NAVBoot, VAlert, PCScan Removal Instructions: MDisk, NAV, or DOS SYS command General Comments: The FORM-Virus, or Form Boot, is a memory resident infector of floppy and hard disk boot sectors. It was originally isolated in Switzerland. When a system is first booted with a diskette infected with the FORM-Virus, the virus will infect system memory as well as seek out and infect the system's hard disk. The floppy boot may or may not be successful, on the author's test system, a boot from floppy diskette infected with FORM-Virus never succeeded, instead the system would hang. It should be noted that the virus was received by the author of this document as a binary file, and it may have been damaged in some way. The following text message is contained in the FORM-Virus binary code as received by the author of this document: "The FORM-Virus sends greetings to everyone who's reading this text.FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." These messages, however, may not appear in all cases. For example, I did not find these messages anywhere on a hard disk infected with Form Boot. Systems infected with the FORM-Virus in memory may notice that a clicking noise may be emitted from the system speaker on the 24th day of any month. This virus can be removed with the same technique as used with many boot sector infectors. First, power off the system and then boot from a known clean write-protected boot diskette. The DOS SYS command can then be used to recreate the boot sector. Alternately, MDisk from McAfee Associates may be used to recreate the boot sector. Known variant(s) of the FORM-Virus are: Form II: Based on FORM-18, this variant was submitted in May 1992 from an unknown origin. It is functionally equivalent to FORM-18, though altered to avoid detection by most anti- viral utilities. Origin: Unknown May, 1992. FORM-18: Similar to the FORM-Virus, FORM-18 activates on the 18th day of the month, at which time clicking will be heard from the system speaker on systems which have a system clock and CMOS. Systems without a system clock will most likely not have the clicking occur. FORM-Canada: Similar to the FORM-18 variant, this variant is a minor alteration. On diskettes, it locates the remainder of the viral code and original boot sector in the first two available, unused sectors on the diskette, marking them as bad sectors. Origin: Canada August, 1992. visionary@brazerko.com ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 129] ******************************************