VIRUS-L Digest Wednesday, 7 Aug 1996 Volume 9 : Issue 133 Today's Topics: What is the worst Virus? scn-251e.zip McAfee VirusScan for MS-DOS Trojan Horses. Need Information Re: Disknet Re: Theory Re: Lambdin's ADINF Post Re: Bad AV software Re: Re: Management's response to computer virus threat? Booting from a CD Rom Re: Theory Re: Management's response to computer virus threat? Re: Lambdin's ADINF Post Quick reference antiviral review chart Re: What is the worst Virus? Re: Fighting Macro Virus in Campus Labs (MAC,PC)) Re: Information on NT A-V Software (NT) Norton Antivirus95 and Mcafee (WIN95) Re: McAfee and multiple drive scans (WIN95) Re: NAV blues (WIN95) Friend needs virus help (WIN) Re: Junkie seems to have eaten my mouse - help wanted (PC) Re: quicksilver virus (PC) Re: Definition of Form virus (PC) Re: Virus Standards for a 5 pc network (PC) Re: Help: The bad sectors in my NEC HD are growing! (PC) Immune II (PC) Re: Virus Standards for a 5 pc network (PC) Re: Virus that hides in bad sectors? (PC) not sure if i cleaned stealth_c (PC) Re: HLLC.Crawen.8306 virus (PC) Concept Question (PC) Help, What is this virus? (PC) Re: Virus Standards for a 5 pc network (PC) CMOS_DEATH Info (PC) Rebrick Virus (PC) Ghost of DRIVE C: (PC) V-Hunter AV software (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 05 Aug 1996 05:10:21 -0400 From: Bill lambdin Subject: What is the worst Virus? X-Digest: Volume 9 : Issue 133 AgtMike writes >Which virus is the most destructive and hardest to detect? New viruses that use the following techniques are hard to detect when they are resident. Fully stealthed Tunneling Sector level stealthed Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Mon, 05 Aug 1996 13:10:09 +0300 From: ts@UWasa.Fi (Timo Salmi) Subject: scn-251e.zip McAfee VirusScan for MS-DOS X-Digest: Volume 9 : Issue 133 Mon 5-Aug-96: Acquired to Garbo archives 452371 Jul 30 02:51 ftp://garbo.uwasa.fi/pc/virus/scn-251e.zip scn-251e.zip McAfee VirusScan for MS-DOS, SCAN.EXE All the best, Timo .................................................................... Prof. Timo Salmi Co-moderator of news:comp.archives.msdos.announce Moderating at ftp:// & http://garbo.uwasa.fi archives 193.166.120.5 Department of Accounting and Business Finance ; University of Vaasa ts@uwasa.fi http://uwasa.fi/~ts BBS 961-3170972; FIN-65101, Finland ------------------------------ Date: Mon, 05 Aug 1996 13:13:28 +0200 From: Miguel Angel Pina Lanuza Subject: Trojan Horses. Need Information X-Digest: Volume 9 : Issue 133 We are Students of Informatic Science in Spain. We need all information about Tojan Horses virus. Please, if you have information or references in the internet about this issue, write us to thi E-Mail: nines.martin@mest.unizar.es or isu@apollo.cps.unizar.es thanks a lot. ------------------------------ Date: Mon, 29 Jul 1996 09:08:36 +0000 (GMT) From: Jan Hruska Subject: Re: Disknet X-Digest: Volume 9 : Issue 133 David Bridson, Reflex Magnetics PR wrote: >As for the "100% protection" claim, I can't find it in any of Reflex's >current promotional material. I would guess it came from an old >advertisement. Over a year ago, Reflex surveyed its customers, and found Your clients were displaying it in very large letters at the Networks show four weeks ago in Birmingham. Is that not 'current'? >1. A module that offers specific protection against *any* type > of Macro virus, not just those that are "known". Is this the same module which was beaten by the Winword/Reflex (aka Red Dwarf, Challenge) virus for which Reflex allegedly gave a Jereboam of champagne to the virus writer at the Infosec show in April 96 in London? ------------------------------ Date: Mon, 05 Aug 1996 08:26:12 -0400 (EDT) From: Karsten Ahlbeck <100554.2356@CompuServe.COM> Subject: Re: Theory X-Digest: Volume 9 : Issue 133 Brett Benjamin Hawkins wrote: >>The same people who write viruses develop and sell antivirus software? >>(Just like "The Net"). Whadya think? > > It makes perfect sense to me! Perhaps it should be taken a step >farther and turned into a law. You know, like the law of gravity. I dont know if you are ironic or really mean it (that the AV producers make viruses as well, not turning it into a law ;-) Personally I could stretch it too : maybe some AV producers hype things up with new viruses, trying to make them sound more widespread than they are, just to boost sales. But I do disagree with the thought that AV producers also write the viruses themself. For myself, I would not have the time. And if I had some spare time, I sure would not spend it adding another virus to the enormous number already out there. Yours Sincerely, Karsten Ahlbeck Karahldata Swedish Integrity Master Agent ------------------------------ Date: Mon, 05 Aug 1996 09:30:53 -0400 (EDT) From: Jess Daniels Subject: Re: Lambdin's ADINF Post X-Digest: Volume 9 : Issue 133 What does the following have to do with knowing about and evaluating viruses? >What is the extent of your education? If you have a college degree, >what is it and what is it in? > >Are you now a member of any professional associations, and if so, >which ones? Yeah, and are you a mathematician with a six line PGP sig on AOL? ------------------------------ Date: Mon, 05 Aug 1996 09:30:47 -0400 (EDT) From: Jess Daniels Subject: Re: Bad AV software X-Digest: Volume 9 : Issue 133 >Did you know that using bad A-V software is worse than using no A-V >software? Yes >It is because users that do not use A-V software realize their system is >open to attack from viruses. Users that have inferior A-V software are >lulled into a false sence of security, and do not take the steps for >security they ordinarily world if they did not have any A-V software. You've still got the great mob who don't have *any* AV software and don't take *any* steps for security. >I should know. I bought the wrong A-V software twice. Neither program >performed as advertized, and I paid the price by losing data that could >not be replaced. Haven't we all? How many software programs of any kind *really* perform as advertised? >So I started collecting viruses as I found them, and studied hoe these >little germs worked. After I had a fair technical knowledge of viruses, >and a decent virus collection, I statred evaluating A-V software. Good for you. Personally, I'm glad there is someone besides the independent manufacturers doing *evaluations*. >Some may think I am cold, but I believe A-V software should perform as >advertized. I have no opinion concerning your body temperature, however I happen to believe that anything (silly boy) should perform as advertised. ------------------------------ Date: Mon, 05 Aug 1996 09:30:50 -0400 (EDT) From: Jess Daniels Subject: Re: Re: Management's response to computer virus threat? X-Digest: Volume 9 : Issue 133 Gene Wirchenko wrote: >Cragjock wrote: >>Management , and corporations in geeral, have responded to the growing >>problem of viruses in the workplace with tighter controls on media (i.e. >>disks brought in from the "outside"), limiting Internet access to users >>who are aware of the virus problem, and education / training to the >>employee community at large. However, the main responsibility, in my >>opinion, continues to reside with the users / employees and NOT the >>management. > > Why not? Whose computer is it? If they don't particularly care, >why should the users and employees? What if the users and employees >don't know about effective AV? I'm afraid I've got to go along with Cragjock on this one. No matter how good your AV program is and how well all users and employees are trained in the use thereof, nothing short of constantly looking over their shoulders is going to keep some of them from trying to circumvent the use of said AV program. As for your question of whose computer it is, sure it's the employer's. That's one reason so many users and employees don't give a damn about what happens to it. ------------------------------ Date: Mon, 05 Aug 1996 12:06:08 -0500 From: John Guynn Subject: Booting from a CD Rom X-Digest: Volume 9 : Issue 133 There have been many people who said you can not boot from a CD Rom. Those people have never worked with a Compaq Proliant server. I have configured about 10 Proliants and all of them boot from a CD Rom for the initial hardware configuration (amount of memory, EISA setup, etc). I'll admit that I was suprised when the documentation told me to boot from the CD Rom and was wondering where the DOS disk with the CD Rom drivers was at. John Guynn jag@univel.telescan.com Network Admin Telescan Inc. ------------------------------ Date: Mon, 05 Aug 1996 20:45:55 +0000 (GMT) From: x@ns.net Subject: Re: Theory X-Digest: Volume 9 : Issue 133 On 4 Aug 1996 06:34:37 -0000, Cragjock wrote: >The same people who write viruses develop and sell antivirus software? >(Just like "The Net"). Whadya think? Could be, but I don't think so. If they were even caught once, their company would go down in flames. Besides, there are enough knuckle heads out there writing viri that it isn't really necessary for the AV people to do it, is it? ------------------------------ Date: Mon, 05 Aug 1996 22:45:02 -0100 From: Peter Beersmans Subject: Re: Management's response to computer virus threat? X-Digest: Volume 9 : Issue 133 Cragjock wrote: > Management , and corporations in geeral, have responded to the growing > problem of viruses in the workplace with tighter controls on media (i.e. > disks brought in from the "outside"), limiting Internet access to users > who are aware of the virus problem, and education / training to the > employee community at large. However, the main responsibility, in my > opinion, continues to reside with the users / employees and NOT the > management. You are right if you say that management uses tighter controls on media used in a working environment (at least this has also happened at the company where I work) and I don't oppose these thighter controls. But you can never rule out the fact that somebody needs information (or software) from the outside world and then the company must (and should) provide the necessary tools in order to do a thorough virus check. And if these tools are not provided (= purchased) by the management then they (= the management) are responsible. Or do you find it normal that employees bring there own virus scanners to the working place in order to protect there work against viruses? BTW it has already happened to me that floppy disks with video drivers which came straight from the distributor contained the Little Red virus. If you want you can come down to our place and try to convince our IT management that a good virus scanner with regular updates is a good investment. I stopped trying to convice them of this fact. Best regards, Peter Beersmans petbeer@innet.be ------------------------------ Date: Mon, 05 Aug 1996 18:12:06 -0400 From: Bill lambdin Subject: Re: Lambdin's ADINF Post X-Digest: Volume 9 : Issue 133 >Your Virus-L post in which the quotes below appear just makes >matters worse for ADINF. You reveal just about everything except >the name of the virus which this software allegedly does not detect. >(You may as well tell us!) If you were really concerned about not >embarrassing ADINF, all you had to do was to ask how you could Mr. Rosenborg: ADINF does NOT detect one type of virus. I know because I installed ADINF, and tried several various types of viruses. It is a fact not a hypothetical. I will not disclose the type of virus that defeats ADINF because I do not want the virus writers to write dozens of new variants because this type of virus defeats ADINF. You like to accuse me of embarassing ADINF. By your two messages, you also have a responsibility in embarassing the authors of ADINF, by keeping this issue going. If you have questions of me. you know my E-Mail address. I refuse to waste any more bandwidth on this issue here. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Mon, 05 Aug 1996 23:42:04 -0500 (EST) From: "Rob Slade, doting grandpa of Ryan & Trevor" Subject: Quick reference antiviral review chart X-Digest: Volume 9 : Issue 133 QUICKREF.RVW 960804 Quick reference antiviral review chart maintained by Robert M. Slade This listing is intended to give a quick overview guide to the comparative features and effectiveness of the many different antiviral products. If the version numbers are out of date, please send updated copies for review to Rob Slade at the address given at the end of this list. The companion files "Antiviral Software Evaluation FAQ" (AVREVIEW.FAQ) and "Antiviral contacts listing" (CONTACTS.LST) provide additional related information. All three files are available in the Computer Virus SIG of the Victoria (BC, Canada) Freenet (telnet://guest@freenet.victoria.bc.ca and give the command "go virus"). (This file is the basis for Appendix B of "Robert Slade's Guide to Computer Viruses".) Product Ver Type UI Doc Ease Ovrl Price Comments SDRIMOE CG 1-4 I U 1-4 | | | | | | | | Amiga BootX (discontined)5.23 SDRM G free amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu /mirrors2/amiga.physik.unizh.ch/util/virus Computer Malware B.9508 info 4 4 Free VTC, cert LDV 1.73 VirusChecker 6.26 free amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu VirusZ 3.06 Virus Tracker 2.45 ZeroVirus Atari Chasseur II D ATCHSSR2.RVW atari.archive.umich.edu FCHECK 25 I ATFCHECK.RVW atari.archive.umich.edu Protect6 DR ATPROTCT.RVW atari.archive.umich.edu or larserio@ifi.uio.no Sagrotan 4.12 S ATSAGRTN.RVW atari.archive.umich.edu VIRUSDIE S ATVIRDIE.RVW atari.archive.umich.edu Computer Malware B.9508 info 4 4 Free VTC, cert VKILLER 3.84 SD ATVKILLR.RVW woodside@ttidca.com or atari.archive.umich.edu /atari/Utilities/Virus Mac Computer Malware B.9508 info 4 4 Free VTC, cert Disinfectant 3.6 SDR Free nwu, sumex-aim.stanford.edu, mac.archive.umich.edu Gatekeeper 1.3 R MO Free (no longer supported) Chris Johnson Rival Microseeds Publishing SAM 5 SD M $99 Symantec/Norton Virex 4.5.5 (see MS-DOS, product not by same author) VirusDetective 5.10.5 Jeff Shulman MS-DOS AntiViral ToolKit 2.2 SDRI $59.95 KAMI, various agents Antivirus (IRIS) SDR M C 2 2 4 2 $49 PCANTIVR.RVW Fink Enterprises Antivirus-Plus SDR M C 2 2 4 2 $99 PCANTIVP.RVW Trend Micro AVAST! 7.50 SDRIMO CG 3 3 2 3 PCAVAST.RVW ALWIL Software Computer Malware B.9508 info 4 4 Free (note also CARObase VTC, cert and CMB) Data Physician + 4.01 SDRIM C 2 2 2 2 PCDATPHS.RVW Digital Dispatch DISKSECURE 2.42 IM C 2 3 3 4 BSIs only risc, urvax, eugene cf also FixMBR, FixUTIL PCDSKSEC.RVW SafeMBR, CHKSMBR, CHKMEM, CHKBOOT in FixUtil etc. are free Dr. Sol. AVToolkit 7.62 SDRIMO CG 3 2 3 4 PCDSAVT.RVW S&S International Ltd., support@sands.co.uk, support@us.drsolomon.com F-PROT 2.23a SDR CG 3 3 3 4 home - free, bus. - $1/CPU sales@complex.is, risc, urvax, eugene, garbo PCFPROT.RVW F-PROT Profession 2.22 SDRI CG 3 3 3 4 Data Fellows PCFPROTD.RVW Command Software PCFPROTC.RVW Hoffman Summary 606 info G 3 3 $35 risc, urvax, eugene HS 3.58 I C 2 2 2 3 $15 PCHS.RVW Stroem System Soft HyperACCESS/5 S C 2 1 2 2 PCHA5.RVW, term program Higraeve with scanner IBM Antivirus/DOS 2.4.1SRDI CG 2 2 2 3 $35 PCIBMAV.RVW local IBM rep Immune II 4.1 SD M CG 1 1 3 2 $40 PCIMMUN2.RVW Higher Ground Diagnositcs (see also PC-Cillin) Integrity Master 3.02aS I CG 4 3 3 3 $28 PCIM.RVW risc, urvax, eugene LANProtect 1.1 S CG 1 2 2 2 Intel Norton AntiVirus 3.0 SDRI G 2 3 2 3 $130 PCNRTNAV.RVW Symantec PC-Cillin 5.02 SDRIM G 3 3 3 2 $139 PCCILL2N.RVW Trend Micro Rising Anti-Virus M C 1 2 2 2 PCRAVC.RVW Rising Science and Technology Inc. SafeWord Virus-Safe1.12 I C 2 3 4 3 PCSAFWRD.RVW Enigma Logic SIX (also BRECT) 3.08 I C 2 3 2 2 Free PCSIX.RVW DriftNet BBS +1-506-325-9002 Thunderbyte Utility7.03 SDRIMOE C 2 2 3 3 $29 PCTBSCAN.RVW risc, urvax, eugene, garbo VACCINE (WWS) 5.00 SD IMO C 2 1 2 2 PCWWSVCN.RVW The Davidsohn Group VACCINE (Sophos) 9111 S I CG 2 2 2 3 PCSOPHOS.RVW Untouchable 1.1 SDRIM CG 2 2 2 2 PCUNTUCH.RVW (unsupported?) VDS 2.10T I CG 2 2 3 2 PCVDS.RVW risc, urvax, eugene VET 9.0 SDRIM CG 3 3 3 3 PCVET.RVW Cybec Victor Charlie 5.0 IM C 3 2 3 3 $99 PCVC.RVW Delta Base Enterprises Virex-PC 2.96 SDRIM G 4 2 4 4 $49 PCVIREX.RVW Datawatch (VIRx now assumed under this product) Virus0Buster 4.84 SDRIMO CG 3 3 3 4 PCVRBSTR.RVW Leprechaun Software (70451.3621@compuserve.com) VIRUSCAN Suite 2.51 SDRIM C 2 2 2 3 ~$25/module risc, urvax, SIMTEL, garbo, mcafee.com PCSCAN.RVW VirusNet PC SDRI CG 3 3 3 3 PCVIRSNT.RVW SafetyNet (See also F-PROT) VirusSafe LAN 6.8 SDRI O CG 2 2 3 2 PCVIRSAF.RVW EliaShim Micro Vi-Spy 14.0 SDR M CG 2 2 3 3 $150 PCVISPY.RVW RG Software Systems OS/2 HyperACCESS/5 S C 2 1 2 2 PCHA5.RVW, term program Higraeve with scanner IBM Antivirus/OS/2 2.4 SRDI CG 2 2 2 3 $35 PCIBMAV.RVW local IBM rep SCAN/OS/2 Suite 2.22 SDRIM C 2 2 2 3 ~$35/module risc, urvax, SIMTEL, garbo, mcafee.com UNIX Computer Malware B.9508 info 4 4 Free VTC, cert Tripwire I Free ftp.cs.purdue.edu pub/spaf/COAST/Tripwire VirusScan/Solaris SD U$200/server risc, urvax, SIMTEL, garbo, mcafee.com | | | | | | | | Key: Type - S=scanner, D=disinfection (restoration of state), R=resident, I=integrity checking, M=activity monitor, O=operation restricting, E=encryption UI - user interface - C=command line, G=menu or GUI The following are based on a 1=poor - 4=excellent scale Doc - documentation Ease - I=installation, U=use Ovrl - overall rating for general use Sites: VTC - ftp.informatik.uni-hamburg.de (134.100.4.42) cert - virus materials now moved to cs.ucr.edu eugene - eugene.utmb.edu (129.109.9.21) garbo - garbo.uwasa.fi (193.166.120.5) nwu - ftp.acns.nwu.edu (129.105.113.52) risc - risc.ua.edu (130.160.4.7) simtel - ftp.coast.net (mirrored at other places) urvax - urvax.urich.edu (141.166.36.6) For more detailed reviews see /pub/virus-l/docs/reviews at cert For general virus info see the VIRUS-L/comp.virus FAQ at ftp://cs.ucr.edu/pub/virus-l/vlfaq200.txt Please send updated versions of antivirals to Rob Slade at 3118 Baird Road, North Vancouver, BC, Canada, V7K 2G6. Publishers shipping from outside of Canada are advised to label the materials as samples per GST section 215(1), without value and not subject to GST. Also please note that UPS seems to have extreme difficulty in getting shipments into the country. Neither Rob Slade nor V.I.R.U.S. take any responsibility for shipments delayed or refused at Customs for failure to follow these directions. copyright Robert M. Slade, 1992-96 QUICKREF.RVW 960804 ====================== roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca link to virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) ------------------------------ Date: Tue, 06 Aug 1996 14:57:00 -0500 From: Jonathan Williams Subject: Re: What is the worst Virus? X-Digest: Volume 9 : Issue 133 AgtMike wrote: > Which virus is the most destructive and hardest to detect? Hmmm...in my experience, the viruses which are hardest to detect are viruses which you don't know you have. In other words, ones which are not overtly destructive and thus don't prompt you to go looking for them. Of course, good on-access scanning software changes this equation somewhat. Jonathan jonvwill@iastate.edu ------------------------------ Date: Mon, 05 Aug 1996 18:02:56 +0000 (GMT) From: Beth Young Subject: Re: Fighting Macro Virus in Campus Labs (MAC,PC)) X-Digest: Volume 9 : Issue 133 Jonathan Williams (jonvwill@iastate.edu) wrote: : Helpdesk wrote: : > There has been a rapid increase of Macro virus infections on our campus. : > Our labs are not staffed to deal with the problem, so we used Windows : > batch utility to automatically replace NORMAL.DOT with the one from : > the network server. This way the users will have a clean NORMAL.DOT to : > work with every time they start Microsoft Word. : : A good start :) We are doing a similiar thing on our PC networks, which is working fine. My question is about the Mac Platform since I have labs with both IBM and Mac. Is there a way to NOT let users start Word when they double click their document? I can spend hours going around to each machine and cleaning off the infected Normal document but I would like a way to prevent it. Any help would be appreciated... Beth Young University of Missouri-Columbia Campus Computing ------------------------------ Date: Mon, 05 Aug 1996 21:58:52 +0000 (GMT) From: Gerald Pfeifer Subject: Re: Information on NT A-V Software (NT) X-Digest: Volume 9 : Issue 133 Graham Cluley wrote: > Speaking for Dr Solomon's it makes no difference what platform you are > using. We can offer an "all platforms" license where you choose which > platforms of the Toolkit you use - it's irrelevant to us. [...] FYI: Some four to five months ago I delt with Dr Solomon's Germany and was repeatedly told that it was *not* possible to license some copies for one platform (Win 3.11) and later on migrate that license to another one (Win NT). That's been one out of two reasons not to change my site license from F-Prot, the other being FindVirus silently switching to review mode. Gerald (gerald@pfeifer.co.at in business) - ---------------------------------------------------------------------------- . Gerald Pfeifer (Jerry) Vienna University of Technology . . pfeifer@dbai.tuwien.ac.at http://fbma.tuwien.ac.at/~e9025064/ . ------------------------------ Date: Tue, 06 Aug 1996 11:54:24 +0000 (GMT) From: Lucio Burroni Subject: Norton Antivirus95 and Mcafee (WIN95) X-Digest: Volume 9 : Issue 133 Is possible to use Norton 95 and Mcafee for windows95 on the same pc. Please help me. ------------------------------ Date: Tue, 06 Aug 1996 15:09:32 -0400 From: Jeffrey Kaplan Subject: Re: McAfee and multiple drive scans (WIN95) X-Digest: Volume 9 : Issue 133 The Drazi were still poking the plant when Al Pollenz called C&C with this: >Is there a way to have McAfee for Win 95 scan multiple drives on startup >as opposed to the one drive you are allowed to put in the scan window? Edit the .vsc file: <---------------------> [ScanOptions] szScanItem=LocalDrives <---------------------> That will scan all your local hard- and floppy drives. I think if you want to scan a CD ROM, you will have to do that manually. That works in the +current+ registered version, and probably in the current shareware version. In the previous versions, use the "scandrives.txt" method explained in the docs. - - ttul8r, Jeffrey Kaplan <*> PGP KeyID: 0x70c5a7cd at or Email ------------------------------ Date: Tue, 06 Aug 1996 21:20:33 +0000 (GMT) From: John Davidson Subject: Re: NAV blues (WIN95) X-Digest: Volume 9 : Issue 133 Robert de Ridder wrote: >In article <0012.01I7VYFI7T3WXZOCIK@csc.canterbury.ac.nz>, >yoan@WorldLink.ca says... > >>I've been using Norton AV for Win95 for some time now, and have always >>been happy with it, especially the Auto-Protect feature. >> >>This past month, when I went to get the July definition update, I found >>that things had changed and that Norton now packaged the update into a >>program called "Intelligent Updater". I had the same problem, and in the end gave up. Symantec's tech support was mediocre, to say the least, and couldn't provide an answer. The end came when I realised that NAV couldn't detect a whole range of virii that the docs and ads said it could. In the end, I changed to Thunderbyte. Very pleased, and haven't had a problem since. ------------------------------ Date: Tue, 06 Aug 1996 15:46:06 -0700 From: Patrik Lemner Subject: Friend needs virus help (WIN) X-Digest: Volume 9 : Issue 133 I have a friend experiencing some (what we believe to be) virus problems. Today (Aug 6) he visited a homepage about the X-files (the TV-show). He didn't recieve any data, instead his machine switched to the program manager (as if using Alt + Tab). After that he switched of his computer, and after restarting it his mouse is going crazy. When moving it, the icons start moving around and the computer shifts window (again as if using Alt + Tab). When starting Word, suddenly text in the documents start to move around (as if cut and pasted). Also the computer keeps making a beeping noise. After this he can't use Netscape, so hes not able to post this message himself. I hope someone can help my friend, he's desperate. Regards Patrik Lemner, Sweden ------------------------------ Date: Mon, 05 Aug 1996 08:26:08 -0400 (EDT) From: Karsten Ahlbeck <100554.2356@CompuServe.COM> Subject: Re: Junkie seems to have eaten my mouse - help wanted (PC) X-Digest: Volume 9 : Issue 133 HEGRE1 wrote: >I used VET 95 to clean Junkie off the system, then some time later it the >mouse stopped working in Windows, but not DOS. First of all, always boot clean before trying to get rid of a virus. Then check your system after the cleaning to see that it is OK. Junkie infects .COM and .EXE files. If your mouse.com was infected and then "cleaned", your AV product might not have done it correctly, therefore damaging the file. With an integrity checker, you can compare signatures before infection and after "cleaning" to see if it was restored 100%. If the file is altered/ corrupted it might not work properly. Anyway, this is more likely to be some other problem. When does it happen? Any special / new program(s) you run? You have to play detective.....and you probably will get more advice from this group! Again, with a change-detection integrity checker you could check your hard disk regularly, and when a problem occurs just look into the report file and see if something happened before (a corrupted file, a new program installed and so on). >I've read everything I can find on the Net about Junkie but don't see any >reference to this mouse eating phenomenon - can anyone help? Good! It is always nice to see "researching" done before posting "I (think) I have the XXX virus. Please help.". >I've even reinstalled Windows to no avail. Then your mouse driver should be OK. Might be a conflict with some program. But wait until you try reinstalling Windows again - it should be solved without having to do that... > I've got low level technical knowledge so please be a plain as possible in > your reply! I hope I was :-) If not, do drop me a line. If you can not solve this problem, drop me a line too. Yours Sincerely, Karsten Ahlbeck Karahldata Swedish Integrity Master Agent ------------------------------ Date: Mon, 05 Aug 1996 13:38:08 +0000 From: Jack Clark Subject: Re: quicksilver virus (PC) X-Digest: Volume 9 : Issue 133 Mattias wrote: > I recently got the quicksilver.1376 virus and I can't get rid of it. > MacAfee scan removes it from files but it is there again when I've run > something else. One message MA scan reports is that it can't read the > boot sector. Is this made so by the virus? How should I do to get rid > of this stupid virus? Is it time delayed? Give me any info about the > v. Go to an S&S files area (see sig below) and download the evaluation copy of Findvirus. Cold-boot from a clean Dos disk, and run FINDVIRU /lOCAL /REPAIR and after a short time, you're clean. Then check all your floppies. Various other antivirus products would be able to do the job for you, I should think. Here's some information on Quicksilver as requested. Quicky.1376 Aliases: Quicksilver, Quickie, V.1376 Description: Quicky is a memory-resident file infector, infecting EXE files which begin with the characters 'MZ' - but not EXE files which begin with 'ZM'. The virus is encrypted. The virus intercepts interrupts 21h (DOS functions 4B00h - execute and 3Eh - close) and 13h (disk i/o). It also introduces two its own functions on Int_21h - C001 and C002, which change its behaviour. The first turns off the virus int_13h code, the second turns it on. The virus has the following string contained within itself: "CHKLIST.TAVANTI-VIR.DATCHKLIST.MS" This string represents the filenames of files created by various anti- virus products. Quicky deletes these files. Jack Clark CompuServe: GO DRSOLOMON On-line Technical Specialist, C-serve ID:74777,2333 Dr Solomon's Anti-Virus Toolkit. AOL: JackClarks Email: Jclark@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Mon, 05 Aug 1996 13:38:06 +0000 (GMT) From: replicant Subject: Re: Definition of Form virus (PC) X-Digest: Volume 9 : Issue 133 This virus is definately NOT dangerous. The only "payload" it has is, as you said, a keyboard beep thing. Ive had it lots of times, and its not a problem. ------------------------------ Date: Mon, 05 Aug 1996 15:54:20 +0000 (GMT) From: Gene Wirchenko Subject: Re: Virus Standards for a 5 pc network (PC) X-Digest: Volume 9 : Issue 133 Bruce Burrell wrote: And a devil's advocate leaps out from ambush attacking Mr. Burrell and knocking him into the tulies. The hard teeth of counterargument rip out Bruce's throat... >ruben@ralp.satlink.net wrote: [skip] >> Most users will detect this and will change it again to boot sequence A: >> C:. > > Why would they want to change it? If the floppy is skipped as a boot Think of bypassing security which just gets in the way anyway. >drive, the system starts faster. All pure Boot sector Infectors are >prevented. Moreover, I doubt most folks would notice that the boot >sequence skips the floppy unless they actually *want* to boot from floppy; >I bet that's pretty rare. Not with someone who thinks he knows better than "those twits in MIS", but doesn't. "What harm could a boot from floppy do? I KNOW I don't any viruses. Others may have that problem, but I sure don't. And this is a useful program." > Or am I missing something? I can imagine a potential problem if one >password-protects the CMOS settings, but that's a different issue. Wouldn't that be an ADVANTAGE if the boot sequence is protected by password? > -BPB And the devil's advocate slowly wends his way back to his cave dragging the victim's body behind him... Sincerely, Gene Wirchenko C Pronunciation Guide: y=x++; "wye equals ex plus plus semicolon" x=x++; "ex equals ex doublecross semicolon" ------------------------------ Date: Mon, 05 Aug 96 13:14:05 From: richardb@intecolor.com Subject: Re: Help: The bad sectors in my NEC HD are growing! (PC) X-Digest: Volume 9 : Issue 133 On Tue, 30 Jul 1996, Sung Moo Yang was heard to mutter: >"Chengi J. Kuo" wrote: >>eike writes: >>>Chia-yin Shih (chiayin@u.washington.edu) wrote: >>>: Even if I do ScanDisk immediately after I just finish one, the number of >>>: clusters containing bad bytes will still increase. This abnormal thing >>>: does not happen to my other two hard drive (one Maxtor and one >>>: Samsung), so I think it should be the NEC drive which has gone wrong. > >.. > >>This is a good assessment. Generally, if the head is terribly misaligned >>or failing (almost scratching the disk), any new place it writes to is a >>new bad sector. >> >>So, as soon as you can, use it only to read whatever data you have and >>back it up. > >I never knew that hard disk drive's head can physically touch and scatch >the disk. However, It not clear that if the mis-alignment of head causes >bad sector, FAT should also have been damaged as the head scrached on FAT >area; but it appears to be fine. > >Is it possible that the mis-alignment can affect rear part of disk? I really think that this is a dead issue. We have heard nothing back from the original poster. If that person is still reading the list, could you please tell us your results? I still think that DM from Ontrack would have made sure that you DID NOT see this problem, but we seem to be working in a vacuum. All the hypotheses concerning failed hard drives, bad heads, bad cables, and (my own) IDE/EIDE confusion issues are moot if we don't find out if the poster tried any of our brilliant suggestions. If anyone knows the resolution that ACTUALLY WORKED for this poster, please let us know and free us from this Gordian Knot of tech support. Sometimes, we're more helpful than the problem deserves. This post, and it's seemingly endless replies could be developing a life of their own. Something for the AI people to ponder :-) -RL Bodor Rockwell Automation ------------------------------ Date: Mon, 05 Aug 1996 17:21:04 -0400 From: Mike Swain Subject: Immune II (PC) X-Digest: Volume 9 : Issue 133 I was in Computer City today and saw this AntiVirus program named Immune II. It looked interesting, made claims that no computer running it had ever been infected, had the usual assortment of magazine reviews on the side, and claimed that it used artificial intelligence to figure out weather a file was a virus or not and so didn't need any upgrades. Of course, the part that caught my attention was that it was only about $30 or so. Has anybody heard of this? Is it reliable and easy to use. I still have an old version of MS AntiVirus that came with my computer, don't think its that reliable anymore. I'd like to upgrade and if anybody thinks this is a good chioce please reply. If not, what do you think is a good AV program for around $30 or so? ------------------------------ Date: Tue, 06 Aug 1996 09:45:19 +1100 From: Jaime Metcher Subject: Re: Virus Standards for a 5 pc network (PC) X-Digest: Volume 9 : Issue 133 ruben@ralp.satlink.net wrote: > Tue, 30 Jul 1996 10:40:39 +0100 "David W. Hanson" > wrote: > > > Most users will detect this and will change it again to boot sequence A: > C:. Are we talking about protection from viruses, or from _users_? What about the guy with the axe? Or a surreptitious cup of coffee in the keyboard? - - Jaime Metcher Systems Programmer (i.e. plugger-in of printers and replacer of toner) University of Queensland, Australia. ------------------------------ Date: Tue, 06 Aug 1996 01:38:45 +0000 (GMT) From: Bruce Burrell Subject: Re: Virus that hides in bad sectors? (PC) X-Digest: Volume 9 : Issue 133 Ken Stieers (kstieers@ontrack.com) wrote: > If I remember correctly, Form marks some sectors bad at the end of the > drive which is where the note about Corinne is stored. No marking of the FAT, according to my disassembly; FORM stores this on the last two physical sectors of the drive, not counting the diagnostic cylinder. Since that sometimes isn't even part of the DOS partition, why even try to adjust the FAT? A minor quibble, at most. Still, since nobody else responded.... -BPB ------------------------------ Date: Mon, 05 Aug 1996 19:00:13 -0500 From: Nicholas Fowler Subject: not sure if i cleaned stealth_c (PC) X-Digest: Volume 9 : Issue 133 Here's the story. I installed McCafee's antivirus utility for windows '95. It scanned my memory for viruses and reported that Stealth_C virus was found. It told me to reboot with a clean diskette, and run virus scan. I rebooted with a diskette(questionably clean, since im not sure where or when the virus came from). My hard disk uses maxblast software that allows me to access all of my 1.3 gig hard disk. The program loads before the operating system. To boot from a floppy i was supposed to hit the space bar after it loads. I didnt and it still loaded but i wasnt able to go to the c: because the maxblast software had not loaded. I then rebooted, without a floppy boot disk, and the maxblast software would not load, and the computer locked up. I used the floppy boot disk to at least allow myself access to the computer. I used a copy of the maxblast software to make a boot disk that loads the maxblast software and then allows me to use another boot disk to load the operating system. After booting from the maxblast boot disk and a normal boot diskette i ran SCAN from the hard disk. It reported the virus was in memory again but would not clean it and told me to boot from a clean floppy. Seems i didnt have a clean floppy and could not possibly check without infecting them. So, in order use my hard drive normally i used the maxblast software to reinstall it to my hard disk. I believe it copied it "stuff" to the MBR. Possibly replacing the infected MBR. Anyhow, the next morning i ran the SCAN again and it didnt find anything in memory or on my hard disk. I did find the virus on four or five floppies i had used. So my question, do u think i got rid of the virus or is it just hiding or something? Should i get some truly clean disks and try to find it? Sorry bout the long message but i wanted to be sure to get a clear answer. thanx nicholas fowler dfowler@ecsis.net ------------------------------ Date: Tue, 06 Aug 1996 13:07:26 +0800 From: bh0926942@omega.ntu.ac.sg Subject: Re: HLLC.Crawen.8306 virus (PC) X-Digest: Volume 9 : Issue 133 In article <0019.01I7S4S7ZCDKXZOCIK@csc.canterbury.ac.nz>, Luca Bismondo writes: > my Win95 System was infected by HLLC.Crawen.8306 virus that Mcafee and > Norton can't get away. It Infects all *.COM files and it will destroy my > software in a wile if somebody don't help me. So, please, if somehone > knows how to do with it replay to my help request at: Learn more abt the virus b4 u do anything. Try getting the latest version of F-prot which should be ver 2.23. That may help. If u're desperate...logon to IRC and go to #virus and ask for help! ------------------------------ Date: Tue, 06 Aug 1996 08:13:33 -0700 From: "Richard D. Steinbock" Subject: Concept Question (PC) X-Digest: Volume 9 : Issue 133 Can anyone tell me which software programs can best deal with the Concept virus? We have several computers infected, and have tried F-prot & McAfee for Windows to no avail. Your help is appreciated. ------------------------------ Date: Tue, 06 Aug 1996 11:30:54 +0000 From: "Mary f (Pud)" Subject: Help, What is this virus? (PC) X-Digest: Volume 9 : Issue 133 Well I've been reading posts and FAQs and I can't quite figure out what this virus is. My husband found it on a clients machine, and to him it's the nastiest virus he's ever seen. As soon as the AV program detects one virus and deletes it, another one pops up (i.e., Monkey B was one of the viruses that came up and then there are other "different" onces). IT resides at the CMOS level. He's pretty sure, with all the AV scanners he has that he'll be able to get rid of it (It's trashed the hard drives, but he can figure that one out too). But we just wanted to know what the name of this thing was. TIA. - - Mary f ------------------------------ Date: Tue, 06 Aug 1996 17:59:54 +0000 (GMT) From: Andrew Wing Subject: Re: Virus Standards for a 5 pc network (PC) X-Digest: Volume 9 : Issue 133 Bruce Burrell (bpb@stimpy.us.itd.umich.edu) wrote: : > Most users will detect this and will change it again to boot sequence A: : > C:. : : Why would they want to change it? If the floppy is skipped as a boot : drive, the system starts faster. All pure Boot sector Infectors are : prevented. Moreover, I doubt most folks would notice that the boot : sequence skips the floppy unless they actually *want* to boot from floppy; : I bet that's pretty rare. Especially in a lab situation. Most of the infections we get are due to machine lockups followed by a user reboot with their infected data disk still in drive A. If a user really does want to boot their disk, they will probably have a game that we don't allow in our lab anyway. - - Politics is not the art of persuasion, it's the science of selfishness. Big Brother isn't watching you, you're watching Big Brother,all 181 channels "Speeding down the misinformation superhighway" Andy Wing agwing@astro.ocis.temple.edu awing@thunder.ocis.temple.edu ------------------------------ Date: Tue, 6 Aug 1996 15:47:11 From: Computer Renaissance Subject: CMOS_DEATH Info (PC) X-Digest: Volume 9 : Issue 133 Anyone have info on the CMOS_DEATH virus? F-prot 2.23a is the only scanner to find it (McAfee finds it as an unknown boot sector virus), but contains no info in its virus files. ------------------------------ Date: Tue, 06 Aug 1996 16:00:03 -0500 From: A Bruce Peck Subject: Rebrick Virus (PC) X-Digest: Volume 9 : Issue 133 A user department in our company sent a laptop PC to Compaq for repair and received a fax back from Compaq indicating that the PC had a virus called "REBRICK" but sent no other information. I have looked at several virus databases and cannot find anything listed with that name. Does anyone know of this virus? Is it more commonly known under another name? Bruce_Peck@aici.com ------------------------------ Date: Tue, 06 Aug 1996 20:57:57 -0400 From: Loner Subject: Ghost of DRIVE C: (PC) X-Digest: Volume 9 : Issue 133 I think I have a gosht in my hard drive, or a stinking little virus. We'll first my WINDOWS 3.11 HAD A VISIT FROM THE GHOST. Every single Icon disappeared. The programs were still in the hard drive but no icons. Other programs started to have problems too. Every time I rebooted something else was fuc*ed up!. So I decided to reformat the hard drive. Well to my suprise fdisk (and other diagnostic progs) stated that my hard drives capacity was 503Mb, yet my bios recognized its true cap. at 561Mb. I think a virus infected my boot sectors and/or partition tables. I have the newest version of McAfee VirusScan and of course no virus was detected. I tried putting a drivparm statement in my config.sys but nothing changed. I read a book that said the command "FDISK /MBS (MBS=MasterBootSector) " would compare partition tables with BIOS. But the extension is not valid. So I reformatted to 503Mb capacity. After installing Win95 twice I got it to stop losing icons. Things seem to run satisfactory now but I'm still missing 58Mb of HD. This virus also seems to like my mouse because after I reformatted my HD my mouse was still working before I even installed it! If anybody knows a ghost buster who can aggressively remove this sucker please E-Mail me. Any tips will be GREATLY APPRECIATED!!!!!!!!! ------------------------------ Date: Wed, 07 Aug 1996 18:21:29 +0800 From: Uncle Gazzer Subject: V-Hunter AV software (PC) X-Digest: Volume 9 : Issue 133 Anyone heard of V-Hunter Anti-Virus Software? I just tried to download it and PC-Cillin informed me that it was infected with the FUNE-921 virus Since Pc-cillin didn't elaborate, does anyone know what this virus does (or even if it's a false alarm) here endeth the lesson that you should ALWAYS scan incoming files from the net..... Gary ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 133] ******************************************