VIRUS-L Digest Thursday, 8 Aug 1996 Volume 9 : Issue 134 Today's Topics: Re: About need of 'clean' booting before scanning process Re: About need of 'clean' booting before scanning process Re: Management's response to computer virus threat? Re: Lambdin's ADINF Post Re: Trojan Horses. Need Information Symantec's BBS Re: Bad AV software Re: Management's response to computer virus threat? Re: Theory Re: What is the worst Virus? Perosnal attacks in comp.virus re: Lamdin's ADINF post Re: What is the worst Virus? Re: Fighting Macro Virus in Campus Labs (MAC,PC)) Re: Norton Antivirus95 and Mcafee (WIN95) Re: Norton Antivirus95 and Mcafee (WIN95) Re: help! never ending directories (WIN95) Re: NAV blues (WIN95) re: Possible Virus - Excel as Victim (WIN) Re: Friend needs virus help (WIN) Re: Help, What is this virus? (PC) Re: CMOS_DEATH Info (PC) Re: Definition of Form virus (PC) Re: Immune II (PC) Re: Virus Standards for a 5 pc network (PC) Re: Concept Question (PC) Re: Help, What is this virus? (PC) Re: Concept Question (PC) Re: quicksilver virus (PC) Re: Virus Standards for a 5 pc network (PC) Re: CMOS_DEATH Info (PC) ANTIEXE using McAffe (PC) MSAV update (PC) Re: NAV install (PC) Re: Junkie seems to have eaten my mouse - help wanted (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 07 Aug 1996 14:35:37 +0000 (GMT) From: Richard Evans Subject: Re: About need of 'clean' booting before scanning process X-Digest: Volume 9 : Issue 134 Chris Quirke (cquirke@iafrica.com) wrote: : 3 possibles; : : 1) Ctrl-Alt-Del is survivable; use Reset button or power off : 2) Check CMOS A: definition on the way in, if set to "None", HD will : get there first and "pretend" to boot off A: (also boot order : must be A:,C:) : 3) Make sure you aren't booting off a LAN card Is the Reset button realy enough ?? Does it realy reset everything, or does it just trigger some interupt that a virus could intercept and Fake ?? I always switch the computer rite off, as I'm not sure about this one. Anybody know for cirtain ?? Richard. ------------------------------ Date: Wed, 07 Aug 1996 15:53:31 +0000 (GMT) From: Jon Rouse Subject: Re: About need of 'clean' booting before scanning process X-Digest: Volume 9 : Issue 134 Gerard Mannig wrote: >Besides this, I had to confess I have been somewhat misleading in my >statements and that's why I tried to exchange private Emails with Iolo >Davidson, my main contradictor. It appears that war between France and >Great Britain restarts You are not alone if you have crossed swords (or perhaps it should be guns) with Iolo. I responded with a perfectly innocent question to him on another matter, and my post was rejected. I think he has a filter that rejects all mail! Anyway he's welsh, not English, so doesn't really count. - - Usenet comments do not necessarily reflect the views of my employer. [Moderator's note: That's probably enough xenophobia in this thread...] ------------------------------ Date: Wed, 07 Aug 1996 17:33:53 +0000 (GMT) From: Iolo Davidson Subject: Re: Management's response to computer virus threat? X-Digest: Volume 9 : Issue 134 In article <0008.01I80A9JMIIKXZOX31@csc.canterbury.ac.nz> danjes@cris.com "Jess Daniels" writes: > Gene Wirchenko wrote: > > >Cragjock wrote: > >>However, the main responsibility, in my > >>opinion, continues to reside with the users / employees and NOT the > >>management. > > > > Why not? Whose computer is it? If they don't particularly care, > >why should the users and employees? What if the users and employees > >don't know about effective AV? > > I'm afraid I've got to go along with Cragjock on this one. No matter how > good your AV program is and how well all users and employees are trained > in the use thereof, nothing short of constantly looking over their > shoulders is going to keep some of them from trying to circumvent the use > of said AV program. Well, they can try, but some Network based AV products (Like Dr. Solomon's) have enforcement built in. Disable the workstation module, and the server module knows about it, reports it, and can stop you logging on. - - ON A HIGHWAY AD NOW GLAD HE HE SPIED IT TRIED IT BOUGHT A JAR Burma-Shave ------------------------------ Date: Wed, 07 Aug 1996 17:40:56 +0000 (GMT) From: Iolo Davidson Subject: Re: Lambdin's ADINF Post X-Digest: Volume 9 : Issue 134 In article <0006.01I80A9JMIIKXZOX31@csc.canterbury.ac.nz> danjes@cris.com "Jess Daniels" writes: > Yeah, and are you a mathematician with a six line PGP sig on AOL? A PGP signature is not a "sig". It is a validation code that is unique to the message to which it is attached. - - ON A HIGHWAY AD NOW GLAD HE HE SPIED IT TRIED IT BOUGHT A JAR Burma-Shave ------------------------------ Date: Wed, 07 Aug 1996 17:45:40 +0000 (GMT) From: Iolo Davidson Subject: Re: Trojan Horses. Need Information X-Digest: Volume 9 : Issue 134 In article <0003.01I80A9JMIIKXZOX31@csc.canterbury.ac.nz> coaxial@diana.cps.unizar.es "Miguel Angel Pina Lanuza" writes: > We are Students of Informatic Science in Spain. > We need all information about Tojan Horses virus. Not sure what you are asking for. A trojan horse is not a virus, and there is no virus that is called by that name. A trojan horse is a program that does something (usually destructive) other than what the user has been lead to expect. It does not reproduce, which is what sets it apart from viruses. Sometimes a destructive payload routine in a virus is called a trojan, but I think most people avoid that usage now, because it is confusing. - - ON A HIGHWAY AD NOW GLAD HE HE SPIED IT TRIED IT BOUGHT A JAR Burma-Shave ------------------------------ Date: Wed, 07 Aug 1996 15:06:40 -0400 (EDT) From: Nicholas L Greene Subject: Symantec's BBS X-Digest: Volume 9 : Issue 134 Does anybody know the BBS number for Symantec??? My local isp is down for a few days and I would like to have the August virus definition files for NAV95. The last time I downloaded them from their web page they were corrupt and I had to reinstall NAV. Thanks, Nicholas Greene ------------------------------ Date: Wed, 07 Aug 1996 20:51:38 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Bad AV software X-Digest: Volume 9 : Issue 134 Jess Daniels writes: [In response to, I think Bill Lambdin] >>I should know. I bought the wrong A-V software twice. Neither program >>performed as advertized, and I paid the price by losing data that could >>not be replaced. > >Haven't we all? How many software programs of any kind *really* perform as >advertised? Frankly, most products perform as advertised. But what it says and what you expect are not necessarily the same thing. >I have no opinion concerning your body temperature, however I happen to >believe that anything (silly boy) should perform as advertised. Let's take another question in this forum about the advertising for a new product. The advertising says that no computer running that product for the last four years (or something like that) has ever been infected by a virus. I'll bet they even have proof of this. (See that computer in the corner of the lab? It's been running XYZ for 4 years.) But what was your expectation when you read that advertising? Advertising, in general, must be factual. Or you'll get sued (Want a Harrier jet for $100grand?). But often times, "the truth and nothing but the truth" doesn't sell very well. Always look upon others' words with a healthy dose of suspicion. It is often more important to understand why something is said than the actual words themselves. (Ooooo...) Jimmy cjkuo@mcafee.com PS. No computer viruses ever infected a machine running DOS 1.0. Furthermore, if you ran DOS 1.0, your chances of ever catching a computer virus are inifinitesimal compared to if you ran Win95 or NT. If you saw an advertisement like this, would it be meaningful? Would you buy it? ------------------------------ Date: Wed, 07 Aug 1996 21:10:53 +0000 (GMT) From: Bruce Burrell Subject: Re: Management's response to computer virus threat? X-Digest: Volume 9 : Issue 134 Jess Daniels (danjes@cris.com) wrote: > Gene Wirchenko wrote: > >Cragjock wrote: > >>Management , and corporations in geeral, have responded to the growing > >>problem of viruses in the workplace with tighter controls on media (i.e. > >>disks brought in from the "outside"), limiting Internet access to users > >>who are aware of the virus problem, and education / training to the > >>employee community at large. However, the main responsibility, in my > >>opinion, continues to reside with the users / employees and NOT the > >>management. > > > > Why not? Whose computer is it? If they don't particularly care, > >why should the users and employees? What if the users and employees > >don't know about effective AV? > > I'm afraid I've got to go along with Cragjock on this one. No matter how > good your AV program is and how well all users and employees are trained > in the use thereof, nothing short of constantly looking over their > shoulders is going to keep some of them from trying to circumvent the use > of said AV program. If you turn this into an "us versus them" issue, with "us" being employees and "them" being management/tech support/training staff, then nobody wins except those who want viruses to spread. It has to be a cooperative effort, with "them" being those who write and distribute viruses, and "us" being everyone else. With that in mind, we at the University of Michigan try to foster an atmosphere of non-blame for virus incidents, assuming no malice was involved. If, as some have stated here or elsewhere, someone who gets infected is at risk of losing one's job or computer privileges, then the logical conclusion is that infections won't get reported, and the problem will get out of hand more easily. Here, we attempt to resolve the problem as quickly and safely as possible, and try to educate the user or depart- ment so that future incidents are less likely. So far (seven years or so), this has works out very well. To my way of thinking, firing someone for not following Standard Operating Procedure with regard to viruses is overly harsh. If this is repeated behavior, then there are probably other good reasons why this person should be dismissed, or errors in the protocols in place. Gotta be a cooperative effort. -BPB ------------------------------ Date: Wed, 07 Aug 1996 21:34:10 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Theory X-Digest: Volume 9 : Issue 134 x@ns.net writes: >On 4 Aug 1996 06:34:37 -0000, Cragjock wrote: > >>The same people who write viruses develop and sell antivirus software? >>(Just like "The Net"). Whadya think? > >Could be, but I don't think so. If they were even caught once, their >company would go down in flames. Besides, there are enough knuckle >heads out there writing viri that it isn't really necessary for the AV >people to do it, is it? Actually, there are people who write viruses and distribute antivirus software. We refer to them as the "Mark Ludwigs" of the world. And there are people who sell viruses and sell antivirus software. There are all kinds. But most of us that you see here do not. I'd rather be playing tennis or volleyball, or Pipe Dream. I'd rather be able to bask in the sun instead of sleeping through it. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 07 Aug 1996 21:41:31 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: What is the worst Virus? X-Digest: Volume 9 : Issue 134 Bill lambdin writes: >AgtMike writes >>Which virus is the most destructive and hardest to detect? > >New viruses that use the following techniques are hard to detect when they >are resident. > >Fully stealthed >Tunneling >Sector level stealthed Bill, have you forgotten what "memory detection" and "boot clean" mean? The hardest viruses to detect are the ones you have to do before you can go home that evening/night/morning. The later it gets, the harder they are. The most destructive are the ones that crash the system right away because the user can't use his computer. :-| Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 07 Aug 1996 19:13:56 -0400 From: Sandy Jankowski Subject: Perosnal attacks in comp.virus X-Digest: Volume 9 : Issue 134 I suggest to everyone's consideration that this forum contains much more personal attacks than is desired by most of those who come here. I made 2 such submissions myself today. I would prefer that no space be devoted to such messages. I would be pleased if my messages, and all such messages, were to be bounced from now on. (!) Instead I should like to see dispassionate exchanges of information and ideas. Recently the moderator solicited our preference regarding the amount of commercial content for messages in this forum. I would be pleased if he were to do so on this matter as well. Perhaps I am not the only one who feels this way. I should like to take this opportunity to thank the moderator for all he does on our behalf. Moderating is a thankless job. I mean this literally. When someone is upset s/he says so, usually emphaticly. When we are pleased we accept it as our right and as the norm, with no thought of all the work that goes on behind the scene. Thanks, Nick. I appreciate all you, and Ken before you, have done to make this such an excellent forum. I have only the faintest inkling of what you put up with -- and I intend to keep it that way! There is no way I want your job. I just want to enjoy the fruits of your frustrations. Again, thanks. ------------------------------ Date: Wed, 07 Aug 1996 19:10:39 -0400 From: Sandy Jankowski Subject: re: Lamdin's ADINF post X-Digest: Volume 9 : Issue 134 MRosenborg@aol.com writes: >I'm really getting fed up with the pretension of Mr. Lambdin. [snip] >I'd like Mr. Lambdin to publicly state his >qualifications as an antivirus researcher. Perhaps his stature is so >exalted as to make his arrogance and condescension understandable (in >which case I offer my humble apology). > >Regards, > >Mike Rosenborg > >M.S., Mathematics I suggest to Master Rosenborg that the tone of his message, including his signature, is far more pretentious than Mr. Lambdin's message. I could sign this as B. Math. and mention that I am a product of the University of Waterloo's computer science program. However I should not do so. It would imply that I know a great deal about computer viruses and/or anti-viral software and/or pretentious conduct, and thus have academic qualifications to make such comments. Unfortunately my studies do not so qualify me. I can say that I have observed Mr. Lambdin's work over a number of years. I submit that Mr. Lambdin is knowledgeable in the subjects of computer viruses and of the relative merits of software whose purpose is to reduce the threat of computer viruses. I am willing to accept for the purposes of discussion that Master Rosenborg is knowledgeable in the area of computer viruses. Based on what I have seen to date I am not willing to admit that Master Rosemborg has any special qualifications to discuss the merits of anti-viral software packages. It is quite evident Master Rosenborg should be qualified to discuss pretentious messages. Unfortunately this is not, to my knowledge, the purpose of this forum. [Moderator's note: I think this whole aspect of this thread is off-topic, so those interested in continuing it should do so in Email.] ------------------------------ Date: Wed, 07 Aug 1996 22:12:03 -0400 From: Bill lambdin Subject: Re: What is the worst Virus? X-Digest: Volume 9 : Issue 134 jonvwill@iastate.edu> writes >Of course, good on-access scanning software changes this equation >somewhat. I do not particularly care care for resident A-V software because they are succeptible to the following types of viruses. Fully stealthed sector level stealthed Tunneling Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Wed, 07 Aug 1996 21:24:19 +0000 (GMT) From: Bruce Burrell Subject: Re: Fighting Macro Virus in Campus Labs (MAC,PC)) X-Digest: Volume 9 : Issue 134 Beth Young (ccbeth@cclabs.missouri.edu) wrote: [stuff re: NORMAL.DOT on PC networks snipped] > My question is about the Mac Platform since I have labs with both > IBM and Mac. Is there a way to NOT let users start Word when they double > click their document? I can spend hours going around to each machine > and cleaning off the infected Normal document but I would like a way to > prevent it. I'm not sure why you *want* to prevent users from double-clicking to load. Perhaps you want Word to create the Normal doc each time it starts, so it's clean? (I haven't played with this on the Mac side; please forgive the speculation.) If that's really the case, you could change Word's TYPE to something other than MSWD; then docs wouldn't know what application to launch when double-clicked. Another possibility would be to use RESEDIT to monkey around with the file types WORD recognizes. Not sure if this helps; I'll look into it further if nobody provides a better answer and you email me with exactly what you want to do. -BPB ------------------------------ Date: Wed, 07 Aug 1996 21:49:16 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Norton Antivirus95 and Mcafee (WIN95) X-Digest: Volume 9 : Issue 134 Lucio Burroni writes: >Is possible to use Norton 95 and Mcafee for windows95 on the same >pc. You can use the scanners together. But you should only use one VxD. However, if you use a VxD, the "other" company's scanner won't cooperate with the VxD. At which point, you should stick with the one set. Jimmy cjkuo@mcafee.com ------------------------------ Date: Thu, 08 Aug 1996 00:03:28 +0000 (GMT) From: Shane Coursen Subject: Re: Norton Antivirus95 and Mcafee (WIN95) X-Digest: Volume 9 : Issue 134 In article <0017.01I80A9JMIIKXZOX31@csc.canterbury.ac.nz>, LUCIOBUR@ATS.IT says... >Is possible to use Norton 95 and Mcafee for windows95 on the same >pc. Yes, the programs will get along just fine. It's their TSR/VxD portion that would probably cause a conflict - but only if both reside in *memory* at the same time. - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher Symantec AntiVirus Research Center ------------------------------ Date: Thu, 08 Aug 1996 01:38:50 +0000 (GMT) From: Shane Coursen Subject: Re: help! never ending directories (WIN95) X-Digest: Volume 9 : Issue 134 In article <0013.01I7XFN8SGKWXZOCIK@csc.canterbury.ac.nz>, zbrito@aol.com says... >I have two directories ( .. and ..a ) which I cannot delete. If I open >the directory, the same directories appears inside. And this directories >keep on going forever. > >My DOS directory contains these two directories and inside directory ..a >is another copy of DOS and another copy of ..a directory. I've already >opened 45 of this directories, but it never ends. Everytime I open it, it >has the same DOS files and the ..a directory. I am going to repost (with permission) a portion of an article authored by Jimmy Kuo. This section sounds relevent to your dilemma. 4.2 PEAT and \REPEAT\REPEAT\ERPEAT This is the issue of infinitely recursive subdirectories. Looking at Appendix A (not included in this post,) you will see that one of the fields represents the cluster number of the subdirectory. Thus, if you replace the cluster number of a subdirectory with the cluster number of the directory itself, you can generate this scenario. Well, that's not all that easy to do except... if you're in the root directory. Any subdirectory with its cluster number set to 0 will point back to the root directory. So, if you overlay a random data file over the root directory, a random byte will have the subdirectory bit set and if there happens to be a NULL in the cluster field, you will create this situation. I believe this article (What's NOT a virus) is posted in full on the NCSA home page. - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher Symantec AntiVirus Research Center [Moderator's note: Thanks Shane. I've said before and probably will again, "you should read Jimmy's `what is not a virus' paper". The URLs I have for it (and checked this time!!) are: text version ftp://ftp.ncsa.com/pub/notvirus.txt HTML version http://www.mcafee.com/new/ notvirus.html] ------------------------------ Date: Thu, 08 Aug 1996 02:19:39 +0000 (GMT) From: Shane Coursen Subject: Re: NAV blues (WIN95) X-Digest: Volume 9 : Issue 134 In article <0012.01I7VYFI7T3WXZOCIK@csc.canterbury.ac.nz>, yoan@WorldLink.ca says... >I've been using Norton AV for Win95 for some time now, and have always >been happy with it, especially the Auto-Protect feature. Great! Any part of AutoProtect in particular, or just in general? >This past month, when I went to get the July definition update, I found >that things had changed and that Norton now packaged the update into a >program called "Intelligent Updater". In hopes that it will make your life, and updating the defintion set an easier process. >As soon as I ran NAV however, everything went kablooie! First off all, >NAV would seem to start up and then cause a GPF and crash. Not only that, >but autoprotect would refuse to start up, saying it could not initialize >the signature library. A few different things to try... ) Please send me a private email. Let me know what the time *and* date stamp of the main NAV executable (NAV.EXE, NAVW.EXE, or NAVW32.EXE.) ) Add a FILES= statement to CONFIG.SYS. 25 should be more than sufficient. ) Reduce the number of TSRs (you could just be running into a low memory situation.) >To top it all off, I downloaded Thunderbyte AV 7.02, as well as F-Prot >and FindVirus, none of which returned a single hit. (I'm running Win95 >on a P90 with 32 megs of ram) Using another scanner to verify/deny the existance of a computer virus was a good move on your part. Bravo. - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher Symantec AntiVirus Research Center ------------------------------ Date: Wed, 07 Aug 1996 19:12:47 -0400 From: Sandy Jankowski Subject: re: Possible Virus - Excel as Victim (WIN) X-Digest: Volume 9 : Issue 134 Grant Scurrah (?) writes: >Are you the person who is reputed to have said? > >' When the IRA uses a case of semtex they are trying to do financial >damage. Imagine how much easier it would be to take an Excel >virus into the City of London...' [snip] >If the quote is correct, the person responsible for using the words >semtex, IRA and Excel in the same sentence/paragraph (when talking to ANY >press representative) needs their head read! I agree! Excel is not anywhere as bad as the IRA, and does not (knowingly) damage computers as badly as semtex can. ------------------------------ Date: Thu, 08 Aug 1996 13:17:27 +0800 From: Uncle Gazzer Subject: Re: Friend needs virus help (WIN) X-Digest: Volume 9 : Issue 134 Patrik Lemner wrote: > didn't recieve any data, instead his machine switched to the program > manager (as if using Alt + Tab). After that he switched of his computer, > and after restarting it his mouse is going crazy. When moving it, > the icons start moving around and the computer shifts window (again as if > using Alt + Tab). > > When starting Word, suddenly text in the documents start to move around > (as if cut and pasted). Also the computer keeps making a beeping noise. > After this he can't use Netscape, so hes not able to post this message > himself. sounds to me like the ALT key is stuck, did he spill anything on the keyboard? ------------------------------ Date: Wed, 07 Aug 1996 11:16:39 +0000 From: "Mary f (Pud)" Subject: Re: Help, What is this virus? (PC) X-Digest: Volume 9 : Issue 134 Sorry to follow my own post, but my husband gave me the following information which provides more detail on this virus. Also any AV software to get ride lf Jackal B? "Apparently, as the story goes, this thing started with the standard Trojan virus. Once this was removed, another one was detected, and then removed. And so on and so forth. As I recall, the list included anti- cmos, monkey_b, jeruselum, etc. I don't recall all that I ran into, but it was interesting that new ones were spawning as fast as I could remove the detected ones. I seem to remember that there were a total of 8 that were found, including the last one, jackal.b. This is the one that I don't have a removal routine for. Can you see if you can find something on the internet for this?" Thanks again! - - Mary f ------------------------------ Date: Wed, 07 Aug 1996 11:38:38 +0000 From: Keith Peer Subject: Re: CMOS_DEATH Info (PC) X-Digest: Volume 9 : Issue 134 >Anyone have info on the CMOS_DEATH virus? F-prot 2.23a is the only >scanner to find it (McAfee finds it as an unknown boot sector virus), >but contains no info in its virus files. This virus is detected and removed by AntiViral Toolkit Pro v2.2! It's been able to deal with this virus for at least 3 months. Download the evaluation copy of AVP from the web site listed in my signature it can detect and remove the virus. This virus *is* in the wild in Ohio. Here is the virus description (C) Eugene Kaspersky, 1996. ======================= CmosDeath ========= It is a very dangerous memory resident boot virus. It hooks INT 13h and writes itself to the MBR of the hard drive, and boot sectors of the floppy disks. Depending on the system timer it erases the CMOS. The virus contains the text string: CMOS Death ======================= Hope this helps! Keith =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Brunswick, Ohio 44212 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command Phone: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Wed, 07 Aug 1996 17:37:26 +0000 (GMT) From: Iolo Davidson Subject: Re: Definition of Form virus (PC) X-Digest: Volume 9 : Issue 134 In article <0023.01I80A9JMIIKXZOX31@csc.canterbury.ac.nz> replicant@ub2.lu.se "replicant" writes: > This virus is definately NOT dangerous. The only "payload" it has is, as > you said, a keyboard beep thing. Ive had it lots of times, and its not a > problem. Individuals think like this, until they catch hell for infecting their employer or school. Companies can't afford to think like this. Infecting a client or subcontractor is a public relations black eye at the very least. The virus payload is immaterial. - - ON A HIGHWAY AD NOW GLAD HE HE SPIED IT TRIED IT BOUGHT A JAR Burma-Shave ------------------------------ Date: Wed, 07 Aug 1996 17:50:34 +0000 (GMT) From: Iolo Davidson Subject: Re: Immune II (PC) X-Digest: Volume 9 : Issue 134 In article <0026.01I80A9JMIIKXZOX31@csc.canterbury.ac.nz> symphony@mail.bcpl.lib.md.us "Mike Swain" writes: > I was in Computer City today and saw this AntiVirus program named Immune > II. It looked interesting, made claims that no computer running it had > ever been infected, had the usual assortment of magazine reviews on the > side, and claimed that it used artificial intelligence to figure out > weather a file was a virus or not and so didn't need any upgrades. Oh yeah? What happened when the Word macro viruses came along? Did they upgrade the software, or do they still not detect/remove this extremely widespread type of virus? Ask them and see what they say. > I still have an old version of MS AntiVirus that came with my computer, > don't think its that reliable anymore. It never was. - - ON A HIGHWAY AD NOW GLAD HE HE SPIED IT TRIED IT BOUGHT A JAR Burma-Shave ------------------------------ Date: Wed, 07 Aug 1996 20:06:54 +0000 (GMT) From: Bruce Burrell Subject: Re: Virus Standards for a 5 pc network (PC) X-Digest: Volume 9 : Issue 134 Gene Wirchenko (genew@mindlink.bc.ca) wrote: > Bruce Burrell wrote: > And a devil's advocate leaps out from ambush attacking Mr. > Burrell and knocking him into the tulies. The hard teeth of > counterargument rip out Bruce's throat... I didn't realize that you were a lawyer, Gene. Why would His Supreme Evilness need one? Or should I say *yet* another one? ;-) > >ruben@ralp.satlink.net wrote: > [skip] > >> Most users will detect this and will change it again to boot sequence A: > >> C:. > > > > Why would they want to change it? If the floppy is skipped as a boot > > > Think of bypassing security which just gets in the way anyway. > Unless they want to *boot* from floppy, I don't think it could be viewed by a rational person as "getting in the way." Oops; I forgot; we're talking about mere users here. > >drive, the system starts faster. All pure Boot sector Infectors are > >prevented. Moreover, I doubt most folks would notice that the boot > >sequence skips the floppy unless they actually *want* to boot from floppy; > >I bet that's pretty rare. > > Not with someone who thinks he knows better than "those twits in > MIS", but doesn't. "What harm could a boot from floppy do? I KNOW I > don't any viruses. Others may have that problem, but I sure don't. > And this is a useful program." How many useful programs do you know, other than AV products, that require a floppy boot to perform well? > > Or am I missing something? I can imagine a potential problem if one > >password-protects the CMOS settings, but that's a different issue. > > Wouldn't that be an ADVANTAGE if the boot sequence is protected > by password? Oh, sure, until someone needs to change some CMOS setting but has forgotten the password. F'rinstance, I can't find a jumper in my antidiluvian ALR to zap the password, and I haven't ever gotten around to yanking the battery. Doing either might be beyond the normal SOP for the generic user. "What? Open up my computer?!?" Still only a potential problem, though, since it isn't too difficult to walk even a novice through it (as long as it isn't a laptop). > And the devil's advocate slowly wends his way back to his cave > dragging the victim's body behind him... Uh oh. No coins in my mouth for Charon; Cerebus will probably rip me to shreds ------------------------------ Date: Wed, 07 Aug 1996 21:31:51 +0000 (GMT) From: Bruce Burrell Subject: Re: Concept Question (PC) X-Digest: Volume 9 : Issue 134 Richard D. Steinbock (rdspike@javanet.com) wrote: > Can anyone tell me which software programs can best deal with the > Concept virus? We have several computers infected, and have tried > F-prot & McAfee for Windows to no avail. Your help is appreciated. F-PROT's F-MACRO program included in fp-223a.zip deals just fine with Concept; note that if F-PROT.EXE says a file is infected but F-MACRO doesn't, you should believe F-MACRO. I haven't tried McAfee, so I can't comment on that, but I understand that it should work, too. *How* do the above programs fail? Are you using the most recent versions? -BPB ------------------------------ Date: Wed, 07 Aug 1996 21:45:08 +0000 (GMT) From: Bruce Burrell Subject: Re: Help, What is this virus? (PC) X-Digest: Volume 9 : Issue 134 Mary f (Pud) (fryem@sdd.comsat.com) wrote: > Well I've been reading posts and FAQs and I can't quite figure out what > this virus is. My husband found it on a clients machine, and to him > it's the nastiest virus he's ever seen. What viruses has he seen before? > As soon as the AV program detects one virus and deletes it, > another one pops up (i.e., Monkey B was one of the viruses > that came up and then there are other "different" onces). Perhaps you have multiple infections. What others were involved, and what products were used to detect them? Different software sometimes uses different names for the same virus, so it helps to know exactly what is being used (along with the version number). > IT resides at the CMOS level. He's pretty sure, with all the No virus resides at the CMOS level. > AV scanners he has that he'll be able to get rid of it (It's > trashed the hard drives, but he can figure that one out too). Monkey makes the drives inaccessible, but doesn't trash them _per se_. One just can't see them after a floppy boot. > But we just wanted to know what the name of this thing was. Who knows? 1. It might actually be several viruses at once, and the disinfection of one ends up infecting with another. Depends on which viruses for this even to be possible, and the quality of the AV software to allow it. 2. It might be a previously unknown virus (unlikely). 3. There's a virus that can spew other viruses as a "decoy"; one virus independent (note that I did not say "antivirus independent") claims that this virus is in the wild. Having no corroboration, I treat this report with a whole box of salt. If your husband hasn't tried scanning after a clean floppy boot with F-PROT, DSAV, AVP, or TBAV, I'd suggest that he have a go with at least one of these fine products; there are URLs listed in the alt.comp.virus FAQ from which they may be downloaded. If you're still unsuccessful, consider contacting AV tech support, or drop me some email. -BPB ------------------------------ Date: Wed, 07 Aug 1996 21:45:06 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Concept Question (PC) X-Digest: Volume 9 : Issue 134 "Richard D. Steinbock" writes: >Can anyone tell me which software programs can best deal with the >Concept virus? We have several computers infected, and have tried >F-prot & McAfee for Windows to no avail. Your help is appreciated. You apparently need to update your antivirus. McAfee's Scan has been removing the Concept virus (and other macro viruses since March). FProt also has a remover program. As does S&S, TBAV, NAV, ... It's the exception that cannot remove Word macro viruses. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 07 Aug 1996 21:53:00 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: quicksilver virus (PC) X-Digest: Volume 9 : Issue 134 Mattias wrote: > I recently got the quicksilver.1376 virus and I can't get rid of it. > MacAfee scan removes it from files but it is there again when I've run > something else. One message MA scan reports is that it can't read the > boot sector. Is this made so by the virus? How should I do to get rid > of this stupid virus? Is it time delayed? Give me any info about the > v. You're probably not booting clean into DOS. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 07 Aug 1996 22:04:14 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Virus Standards for a 5 pc network (PC) X-Digest: Volume 9 : Issue 134 Gene Wirchenko writes: >Bruce Burrell wrote: > And a devil's advocate leaps out from ambush attacking Mr. >Burrell and knocking him into the tulies. The hard teeth of >counterargument rip out Bruce's throat... > >>ruben@ralp.satlink.net wrote: > >[skip] > >>> Most users will detect this and will change it again to boot sequence A: >>> C:. >> >> Why would they want to change it? If the floppy is skipped as a boot > > Think of bypassing security which just gets in the way anyway. > Think of imposing draconian rules into this work place. "If you need to change the boot sequence to boot from A:, you need to consult MIS or you will be fired." In today's business world, the need to boot up off floppy is minimal (and frowned upon). >>drive, the system starts faster. All pure Boot sector Infectors are >>prevented. Moreover, I doubt most folks would notice that the boot >>sequence skips the floppy unless they actually *want* to boot from floppy; >>I bet that's pretty rare. > > Not with someone who thinks he knows better than "those twits in >MIS", but doesn't. "What harm could a boot from floppy do? I KNOW I >don't any viruses. Others may have that problem, but I sure don't. >And this is a useful program." But is it a useful program that has been approved for use in the office? In the aerospace industry, it is sometimes a dismissable offense to simply bring in a diskette that has not been checked, let alone allow you to use it. >> Or am I missing something? I can imagine a potential problem if one >>password-protects the CMOS settings, but that's a different issue. > > Wouldn't that be an ADVANTAGE if the boot sequence is protected >by password? It would if the system was designed that way. > And the devil's advocate slowly wends his way back to his cave >dragging the victim's body behind him... Bah. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 07 Aug 1996 22:12:49 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: CMOS_DEATH Info (PC) X-Digest: Volume 9 : Issue 134 Computer Renaissance writes: >Anyone have info on the CMOS_DEATH virus? F-prot 2.23a is the only >scanner to find it (McAfee finds it as an unknown boot sector virus), but >contains no info in its virus files. You have encountered the heuristics in Scan to detect viruses which have not yet been added to the set of known viruses. However, you need to update your DAT files because CMOS Death has been in the product for a couple months now. And information about it is on our web page, www.mcafee.com. In short, CMOS Death is memory resident. It infects the MBR or boot sector. It erases the system's CMOS after 60 bootups. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 07 Aug 1996 18:02:00 -0700 From: K M Murray Subject: ANTIEXE using McAffe (PC) X-Digest: Volume 9 : Issue 134 Need help or some pointers on this one. We got a floppy at work today and it came up using the latest McAffe Virus detect with possibly the ANTIEXE virus. The PC it was used on checks fine but the floppy keeps coming up possibly ANTIEXE virus. Note : I cold booted the PC and everything still came up the same. Is this an infected floppy or not ? Any help suggestions or pointers via E-Mail or here would greatly be appreciated !! Many Thanks !! Kevin Murray [Moderator's note: Sounds like VirusScan is either saying you have a possible new variant or it's false alarming. Best bet is cross-check with another reputable scanner and/or talk with McAfee's tech support.] ------------------------------ Date: Wed, 07 Aug 1996 18:04:12 -0700 From: K M Murray Subject: MSAV update (PC) X-Digest: Volume 9 : Issue 134 Does anyone know if there is any sort of update for MSAV ? If yes, where could one download it ?? THANKS !! KEVIN MURRAY HAMLIN, NY ------------------------------ Date: Thu, 08 Aug 1996 01:43:41 +0000 (GMT) From: Shane Coursen Subject: Re: NAV install (PC) X-Digest: Volume 9 : Issue 134 In article <0023.01I7VYFI7T3WXZOCIK@csc.canterbury.ac.nz>, babao@titan.fullerton.edu says... >Is there any way to do a non-interactive (ie. quiet) install of NAV? Before I say yes, which version of NAV are you running? Yes. Add the /S switch. Note: You might guess that your answer to my question relates directly to my answer to *your* question :) - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher Symantec AntiVirus Research Center ------------------------------ Date: Wed, 07 Aug 1996 22:12:13 -0400 From: Bill lambdin Subject: Re: Junkie seems to have eaten my mouse - help wanted (PC) X-Digest: Volume 9 : Issue 134 Karsten Ahlbeck <100554.2356@CompuServe.COM> writes >Junkie infects .COM and .EXE files. If your mouse.com was infected and >then "cleaned", your AV product might not have done it correctly, >therefore damaging the file. Karsten: Junkie is a multipartite. It infects boot sectors of diskettes, the MBR of the hard drive, and .COM files. The infected files increase in size by 1027 bytes. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 134] ******************************************