VIRUS-L Digest Wednesday, 14 Aug 1996 Volume 9 : Issue 139 Today's Topics: Re: Wazzu Cleaner? Re: Summary: Intel LanDesk Re: seeking direction with virus disassembly Re: HTML-virus? Re: About need of 'clean' booting before scanning process Re: Viral transport prohibitions Re: Fighting Macro Virus in Campus Labs (MAC,PC)) Monkey Virus on Mac (MAC,PC) Strange Windows 95 memory use--virus? (WIN95) Italian NAV upgrades?? (WIN95) Is this a possible virus? (WIN95) Re: AV ToolKit memory problems!!! (WIN) Scrambled Groups and Icons (WIN) Re: Help with the WAZZU virus, please. (WIN) Re: Help, What is this virus? (PC) Re: Help, What is this virus? (PC) Re: V-Hunter AV software (PC) Re: Catching virus in memory (PC) Re: F-prot for dos and the hare virus (PC) Re: MSAV update (PC) Re: About need of 'clean' booting before scanning process (PC) Re: Catching virus in memory (PC) Re:Catching virus in memory (PC) Re: F-prot for dos and the hare virus (PC) Re: Report of Possible IDE Drive Trasher (PC) Re: Report of Possible IDE Drive Trasher (PC) Re: F-prot for dos and the hare virus (PC) Hard disk scrambled, MS-DOS [long] (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Tue, 13 Aug 1996 13:51 +0000 From: Graham Cluley Subject: Re: Wazzu Cleaner? X-Digest: Volume 9 : Issue 139 In-Reply-To: <01I88SPUK0R8XZPMBE@csc.canterbury.ac.nz> William Salusky writes: > Is there an update to 'mvtool' for the purpose of cleaning wazzu from > ducuments yet? If not, does anyone know how to alter the macros in > mvtool to detect and remove the wazzu macro? Rather than using MVTool I would recommend using an anti-virus product instead. The better anti-viruses (including Dr Solomon's) can detect and clean-up Wazzu without difficulty. The on-access scanners included in such products can intercept macro virus infections, as well as the other 9000+ viruses. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Tue, 13 Aug 1996 16:40 +0000 From: Graham Cluley Subject: Re: Summary: Intel LanDesk X-Digest: Volume 9 : Issue 139 In-Reply-To: <01I88SPUK0R8XZPMBE@csc.canterbury.ac.nz> Dwight Tuinstra writes: [some stuff snipped] > I received a recommendation for Dr. Solomon's and F-PROT Pro. > > The current versions have management features and modes of > operation suitable to our network. Although Dr. Solomon's > had a significant weakness in the April 95 Virus Bulletin > review, this has been remedied and it does very well in the > April 96 review. The only thing it lacks are cross-server > management tools for a multi-server network. A forthcoming release of Dr Solomon's will be addresssing these issues (it's looking rather good!). Expect to start seeing some developments later this year/early 97. > [Moderator's note: And thank-you for taking the time to summarize back > to the list/group.] Seconded! Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Tue, 13 Aug 1996 16:57 +0000 From: Graham Cluley Subject: Re: seeking direction with virus disassembly X-Digest: Volume 9 : Issue 139 In-Reply-To: <01I88SPUK0R8XZPMBE@csc.canterbury.ac.nz> Jeff Golden writes: > I am seeking information on how to extract virii information from > infected files (i.e. signatures). I'm looking at writing a simple > anti-virus utility for my honours project. If anyone could direct me > to a site or to commercially-available literature on this subject, > I would be most appreciative. Hmm.. Well, you could use a simple binary file viewer or even DEBUG to find a "signature". Be aware however that this will be ineffective against polymorphic viruses which "change their spots" with each infection and so a fixed signature might not be available. I don't know whether you are also addressing the issue of false alarms. If you're not bothered about false alarms then you could simply grunt-scan files for the text "prove my point" in order to detect Concept. But this would be next to useless in the real world. More sophisticated anti-virus products employ a number of techniques in order to detect viruses quickly and reliably without false alarms. For example, rather than "grunt" scanning the entire length of the file in order to find your "signature" you could just look in the place where the "signature" would be found *if* the file were infected. You could then checksum the static bytes of the virus code (those bytes which do not change) in order to double-check that the file really is infected. It's also a good idea not to choose a "signature" like the Concept example I gave above as the text message is likely to crop up in innocent files. So, looking for virus *code* rather than messages is a good start. If you really want to get sophisticated you might like to read about generic decryption methods (you can read about this kind of stuff on our website) which enable an anti-virus product to reliably detect even the complex, mutating, polymorphic viruses. I seem to recall that Alan Solomon wrote a paper about how to write an anti-virus for Virus News International a few years ago. He's bobbing around the Atlantic out of email-reach at the moment (I wonder if he knows about the Excel virus yet? :-) ). If you like I can have a dig around and see what I come up with. Send me an email and let me know. Good luck with your project. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Tue, 13 Aug 1996 13:33:52 -0600 From: George Wenzel Subject: Re: HTML-virus? X-Digest: Volume 9 : Issue 139 >There are probably circumstances where, when the bytecode is permitted >to access things that it shouldn't normally be allowed to access, a >Java applet could make copies of itself and attach itself to any web >pages that might be served from the client machine. If a Java applet was to spread to other web pages, then the client (i.e. Netscape) would have to have write access to the HTML that the server was providing, which it doesn't. For a Java virus to exist, the Java code would need to have a method to spread to other files, which, in Sun's application of Java, isn't possible. It may be possible, however, with the extensions that Netscape is doing with the Java language. >I think this is possible. Anyone disagree? And if so, why (implied)? Possible, but it hasn't happened yet. I don't think it's too likely, at least not with the original Java language. Netscape extensions could change that. Regards, George Wenzel - - |\ zz _,,,--,,_ ,) George Wenzel /,`.-'`' -, ;-;;' |,4- ) )-,_ ) /\ U of A Karate Club Homepage: <---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Tue, 13 Aug 1996 19:01:41 +0000 (GMT) From: Iolo Davidson Subject: Re: About need of 'clean' booting before scanning process X-Digest: Volume 9 : Issue 139 In article <0007.01I88SPUK0R8XZPMBE@csc.canterbury.ac.nz> awing@thunder.ocis.temple.edu "Andrew Wing" writes: > so unless a virus gets into CMOS somehow (very likely as > discussed in past threads), Please! I think I know what you mean (boot spoofing by altering CMOS settings), but what you have actually written makes it sound like a virus can hide in CMOS memory, which of course it cannot. There are enough virus myths floating around without another dose of "guess what I heard on comp.virus (so it must be true)". - - ON A HIGHWAY AD NOW GLAD HE HE SPIED IT TRIED IT BOUGHT A JAR Burma-Shave ------------------------------ Date: Wed, 14 Aug 1996 10:49:54 +0200 From: Gerard Mannig Subject: Re: Viral transport prohibitions X-Digest: Volume 9 : Issue 139 In Digest: Volume 9 : Issue 138: >I am looking for a listing of countries that prohibit the exchange of >virus samples as data files or text coding. Please feel free to contact >me directly with any information that you may have on the subject so as >not to clutter the server list. Thanks! Well, you'll probably bo told about Italy and Sweden. Those countries, if memory serves, 100% prohibit the mere virus writing. In France - my country - only *spread* of viral code is prohibited ( fine <=$60,000, prison <=3 years ). French 7/22/92 law also authorizes judges to add some extra "goodies" to jail and fine penalties such as forbiding to keep on having the job the guilty person had when commiting the computer crime, loss of civic, civil and familly rights, no more rights to write checks ( except withdraw ones ) , exclusion of public markets and so forth ... Of coruse, malicious intent must be prooved so purely accidental ( 99.99+ %, I guess ) viral events do not enter in the field of this 7/22/92 law I can see that in details if you want but this apparently is not exactly what you asked for. Anyway, feel free to ask When training students, I am often asked what you currently ask today so any response you are to receive is also welcome in this side of the Atlantic ;-) Hope this helps Regards, - ---------------------------------------------------------------- Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Distributor of AVP & SYSGuard, France and Spanish-speaking countries http://www.avp.ch/E/avp-main.htm Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm ------------------------------ Date: Wed, 14 Aug 1996 00:29:12 +0100 From: Joerg Erdei Subject: Re: Fighting Macro Virus in Campus Labs (MAC,PC)) X-Digest: Volume 9 : Issue 139 Bruce Burrell wrote: > Jonathan Williams (jonvwill@iastate.edu) wrote: > > Beth Young wrote: > > <> > > > > > My question is about the Mac Platform since I have labs with both > > > IBM and Mac. Is there a way to NOT let users start Word when they double > > > click their document? I can spend hours going around to each machine > > > and cleaning off the infected Normal document but I would like a way to > > > prevent it. > > > > Going around to each computer is indeed a chore; unfortunately, we've > > found no way to get around scanning of individual computers anyway, since > > infected documents are sometimes stored there. > > > > I know of no way to change the file associations, other than changing the > > "creator" file attributes on every individual document :(, on a mac. > > I doubt that will work; after all, when the doc is saved, it'll revert > to MSWD WDBN unless you actually fiddle with Word's code. > > > If anyone else does, we'd welcome the info, too. > > In private email from Mike Ramey, he pointed out that double-clicking > on a doc skips over MicroSoft's anti-Concept tool, so I now understand why > Ms. Williams made her request. > > The answer I provided in my previous response still should work just > fine; use ResEDIT to alter Word so that its TYPE is something other than > MSWD. Then if one double-clicks on a document, the user will get the > "Application busy or missing message", but Word will open documents > normally through the File menu. Additionally, one would have to remove Easy Open to prevent users from linking Word documents with the 'new' application called Word. Or Word has to be on another (logical) volume, and another dummy-app with the type MSWD on the same volume as the document double-clicked, thus double-clicking would always launch that dummy app (it should preferable display a box telling the user to open the document from within Word, or even more clever: it should invoke a AppleScript to open Word and then opening the document from within Word, thus there would be no need to educate users). Joerg Erdei - - eMail for usenet replies: a8604659@unet.univie.ac.at private messages: a8101gbb@vm.univie.ac.at ------------------------------ Date: Tue, 13 Aug 1996 15:59:20 -0500 From: "Jamal R. Hamilton" Subject: Monkey Virus on Mac (MAC,PC) X-Digest: Volume 9 : Issue 139 I am working on a mac, and I THINK MY FLOPPY DISK IS INFECTED BY a MONKEY VIRUS. Is there any program for the mac that I can use to disinfect the virus. Thanks Jamal R. Hamilton University of Chicago entity@pondside.uchicago.edu Ecology and Evolution Mon-Thurs 8am - 4:30pm central ph: 702-5135 [Moderator's note: Whatever you do, do NOT leave the diskette in the floppy drive of a Mac that also runs SoftWindows (and presumably other DOS/Windows emulators?), as it will infect the emulator environment when it is next (re)started, just like leaving an infected floppy in A: infects a PC.] ------------------------------ Date: Tue, 13 Aug 1996 23:06:40 +0000 (GMT) From: Markus Eisenhauer Subject: Strange Windows 95 memory use--virus? (WIN95) X-Digest: Volume 9 : Issue 139 I have a problem in Windows 95. As I am using the German version I don't know if the description of the errors and dialogs will be correct, but I hope you can understand the problems. Is there a known virus that disturbs the registry so that you get the error messages "Error in the system registry. Restart Windows."? Another effect that I encountered is that the memory is eaten up. I start Windows 95 and do nothing but watch the system monitor with the used memory and the swap-file. The values are increasing all the time. When it starts with 29 MB after half an hour I have over a hundred MB used or reserved. I tried different scanners but no one did react. Does anyone know of that type of problems in his system and the reasons? I'm using a 486/ DX4-100 with 32 MB Ram. Thanks Markus Eisenhauer ------------------------------ Date: Wed, 14 Aug 1996 09:46:36 +0000 (GMT) From: Lucio Burroni Subject: Italian NAV upgrades?? (WIN95) X-Digest: Volume 9 : Issue 139 Where i can downlad update for this antivirus; i have the italian version. Please help me. Thank you ,-~~-.___. <-----------------------------------> / | ' \ -=|LUCIO BURRONI |=- ( ) 0 -=| E-MAIL: luciobur@ats.it |=- \_/-, ,----' -=| 39+575-355245-300533 Arezzo AR |=- ==== // -=| I T A L Y |=- / \-'~; /~~~(O) <-----------------------------------> / __/~| / | =( ______| (_________| ------------------------------ Date: Wed, 14 Aug 1996 09:37:51 +0000 (GMT) From: Yogibear@xs4all.nl Subject: Is this a possible virus? (WIN95) X-Digest: Volume 9 : Issue 139 The last three weeks, when I start my computer up, Win95 is acting very strange. The first symptom was that I got the win calculator on my desktop after startup when I closed down without it (I NEVER use it) and it isn't in the startup group. This could still be an accident, but..... After this win 95 refused to boot in three different occasions: 1: The file explorer.exe was gone --> no boot. I couldn't unerase it or find it so I copied it from a friend of mine 2: one week later the file wininit.exe had vanished as well. When I tried to boot it gave me the famous:'It is now safe to turn of your computer' screen and I had to switch it off. 3: The next file to VANISH was rundll32.exe and rundll.exe This meant I couldn't use any control panel option. I tried to undelete those files and couldn't find them. I also tried F-prot, Norton anti virus for 95, Dr Salomon and a heuristic scan. I couldn't find anything........ IS THIS A VIRUS ???????? or is it just my %^&*$%^%&$%^&#%$ WIN 95 ? Has anyone else had the same problems ? Regards, Derk Jan de Boer ------------------------------ Date: Tue, 13 Aug 1996 13:51 +0000 From: Graham Cluley Subject: Re: AV ToolKit memory problems!!! (WIN) X-Digest: Volume 9 : Issue 139 In-Reply-To: <01I88SPUK0R8XZPMBE@csc.canterbury.ac.nz> Fernando Bonifaz Constantino writes: > Hi, I have the Dr. Solomon AV Toolkit and It has been (for me) the best > AV in th market, [fx: blush] > but yesterday the AV told me that I was having a memory > error "WinGuard 386: not enough memory to load Winaguard database", I > have been using it and never give any problem until now. I double check > the memory and I not find any error. Im using an Lpv (Digital) 486sx-33, > with 4 MB on RAM and Win 3.1. This was a problem in WinGuard a few months ago, it should be fixed in the current version. Which version number are you using? If you contact our reps in Mexico (Grupo Asisa) they should be able to get you a fixed version. Here are the contact details for our chaps in Mexico: Grupo ASISA L.Tequesquinahua No.84 Colonia PIPSA Tlalnepantla Edo de Mex. C.P. 54160 Mexico Tel: +52 5 392 4155 Fax: +52 5 392 4178 CompuServe: 7414,3053 Internet email: 7414.3053@compuserve.com I hope this has been some help. Glad to hear you like the software. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Tue, 13 Aug 1996 11:40:24 +0000 (GMT) From: Vincent Settipane Subject: Scrambled Groups and Icons (WIN) X-Digest: Volume 9 : Issue 139 I have a freind that had the NYB virus. We removed it and every few weeks her desktop is messed up. We have rescaned and no luck detecting any different virii. Anybody seen this before? Solutions ? Thanks in advance Vince "Something Hot and Wet - - - - - Steam" PG ------------------------------ Date: Wed, 14 Aug 1996 09:28:29 +0000 (GMT) From: Snorre Fagerland Subject: Re: Help with the WAZZU virus, please. (WIN) X-Digest: Volume 9 : Issue 139 ploob wrote: >Any information would be appreciated. So far, all it does is display a >small message that says 'wazzu' when you copy, paste...any time you are >manipulating files. Norton did not detect it, or even notice it. WordMacro.Wazzu is a fairly harmless macro virus, besides the fact that it inserts the text 'wazzu' in documents. (I'm sure that can be annoying enough though). Most good AV packages should be capable of handling this virus. However, the source has been out, and new variants may exist. You can also clean it yourself, by deleting the macro autoOpen from all documents you have used, and then finally from the normal.dot template. However, a good scan is valuable to get all infections, one forgotten document is enough to start the epidemic all over again. A good rule is to check your macros menu quite often to see if there are any you don't recognise. Best regards Snorre Fagerland Engineer University of Bergen ------------------------------ Date: Tue, 13 Aug 1996 08:48:04 +0000 From: "Mary f (Pud)" Subject: Re: Help, What is this virus? (PC) X-Digest: Volume 9 : Issue 139 Jonathan Williams wrote: > It sounds like the client had multiple infections of different > viruses. Since you mentioned Monkey B, I assume they were boot > sector viruses. When one boot-sector virus infects a computer > which already has another, the new infection acts as though the > computer wasn't infected -- moves the "boot sector code" (actually > the other virus) and subsequently points to it. It's therefore > possible to remove the first virus and have the second replace it > (as the A/V program moves the "original" boot sector back), which > then needs to be cleaned also. Well, thank you for your kind response :-). It looks as if that's exactly what it was. Hubby got it all fixed up. Thanks again I'll forward this to him. I'm not terribly articulate in describing this stuff, so I appreciate the response! :-) - - Mary f _ _ ( \ ( \ |\ ) ) _,,,\ )~,,_ /, -. `' . ;-;;,_ |,4- ,_,,,.,_ ( `'-' '-~~''(_/ ' ` \_) It's a widdle, widdle, widdle pud ------------------------------ Date: Tue, 13 Aug 1996 08:51:52 +0000 From: "Mary f (Pud)" Subject: Re: Help, What is this virus? (PC) X-Digest: Volume 9 : Issue 139 Iolo Davidson wrote: > In article <0032.01I80A9JMIIKXZOX31@csc.canterbury.ac.nz> > fryem@sdd.comsat.com "Pud" writes: > > IT resides at the CMOS level. > > No, no virus resides in the CMOS. It simply isn't possible. > > Such confidently stated nonsense considerably damages my > acceptance of the rest of the information in your report. Excuse me if I'm not totally PC literate. I was posting for my husband who knows much more than I. But I was obviously literate enough to get a decent response from Johnathan which answered my question exactly. Thanks to Johnathan :-)! - - Mary f _ _ ( \ ( \ |\ ) ) _,,,\ )~,,_ /, -. `' . ;-;;,_ |,4- ,_,,,.,_ ( `'-' '-~~''(_/ ' ` \_) It's a widdle, widdle, widdle pud ------------------------------ Date: Tue, 13 Aug 1996 16:41:49 +0100 From: Dmitry Gryaznov Subject: Re: V-Hunter AV software (PC) X-Digest: Volume 9 : Issue 139 Uncle Gazzer wrote: > Anyone heard of V-Hunter Anti-Virus Software? > > I just tried to download it and PC-Cillin informed me that it was > infected with the FUNE-921 virus > > Since Pc-cillin didn't elaborate, does anyone know what this virus does > (or even if it's a false alarm) > > here endeth the lesson that you should ALWAYS scan incoming files from > the net..... That's right. But in the case I strongly suspect it was a false alarm from PC-cillin. Try a couple of other AV programs to make sure. - - Sincerely, | VirusLab, S & S International PLC. Dmitry O. Gryaznov | Alton House, Office Park, Gatehouse Way, Senior Research Consultant | Aylesbury, Bucks HP19 3XU, United Kingdom E-mail: grdo@dial.pipex.com | Tel: +44 (0)1296 318700 WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734 ------------------------------ Date: Tue, 13 Aug 1996 16:36 +0000 From: Graham Cluley Subject: Re: Catching virus in memory (PC) X-Digest: Volume 9 : Issue 139 In-Reply-To: <01I88SPUK0R8XZPMBE@csc.canterbury.ac.nz> quacht@cadvision.com writes: > Hi, can anyone tell me how to get rid of memory viruses (RAM)????? The simplest way is to cold-boot from a clean (virus-free), write-protected disk. You can then run your anti-virus from floppy and do the clean-up. Which virus do you have anyway? And which product told you you were infected? That info could help us help you more. If you don't have a clean, virus-free, write-protected disk to boot from, but you *do* have a copy of Dr Solomon's Anti-Virus Toolkit then you can just boot up from our "Magic Bullet" diskette and that will clean you up. > I need a good virus scanner because I frequently download files from the > Internet, if anyone has a good virus scanner for DOS or Windows 3.1, can > you tell me where to get i? Dr Solomon's is rather good - but I would say that. :-) It can scan recursively inside compressed files (ZIP, LZH, ARC, ARJ, PKLite, LZExe, ICE, Diet, CryptCOM, MS Expand, etc) without writing to the hard disk - which might be useful when dealing with downloaded files. F-Prot and AVP are highly respected as well. You can find some independent comparative reviews at http://www.drsolomon.com/avtk/reviews and others at Virus Bulletin's website and at the University of Tampere. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Tue, 13 Aug 1996 16:36 +0000 From: Graham Cluley Subject: Re: F-prot for dos and the hare virus (PC) X-Digest: Volume 9 : Issue 139 In-Reply-To: <01I88SPUK0R8XZPMBE@csc.canterbury.ac.nz> Bob Kanish writes: > With all the hype surrounding the hare virus, I decided to look in > f-prot 2.23a's virlist.lis file and I found no evidence of any hare > viruses. Am I correct in assuming that f-prot for dos can not detect > these viruses? I'm as sure as any person can be that none of my > computers has this virus. I was just wondering this because this > family of viruses appears to be in the wild and it would surprise me > if such a high-quality product could not find them. DataFellows have written something called F-Hare - you can download it from their website. From what the description says it seems you can run it alongside F-Prot to deal with Hare. I would imagine this functionality will be incorporated into F-Prot in a future version. We at Dr Solomon's have also made available an additional "extra driver" for detection and clean-up of Hare infected files. A version of our CleanPart utility cleans infected partition sectors. Like F-Prot we'll be incorporating this functionality into our main product in due course. Of course, August 22nd is approaching rapidly so it would be a good idea for users to scan their PCs for this virus. Here at Dr Solomon's we're taking the step of snailmailing all our customers with a special version of FindVirus so they can check for this virus. This means that users with out-of-date versions, or who don't subscribe to our virus alerts service, or don't visit our website or read comp.virus will be able to scan before August 22. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Tue, 13 Aug 1996 10:13:25 -0400 From: Bill lambdin Subject: Re: MSAV update (PC) X-Digest: Volume 9 : Issue 139 writes >oh, yes...there is....it is called "Any other anti-virus program". >MSAV was the worst scanner on the market when it was released Frisk: I agree completely with you about the cure, but I disagree slightly about the diagnosis. ;-) I have tested MSAV. and I have tested IVscan that comes with InVircible, and I have first hand information that IVscan is worse than MSAV for detection. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 13 Aug 1996 09:33:36 -0600 From: Fabio Esquivel Subject: Re: About need of 'clean' booting before scanning process (PC) X-Digest: Volume 9 : Issue 139 > From: Andrew Wing > > McCormick, Jesse (mccormic@hkvltpo1.hkvlt001.hac.vlt.eds.com) wrote: > > : >Is the Reset button realy enough ?? Yes: I read somewhere that it sends a reset signal to one of the CPU pins in the motherboard, effectively resetting its state. Furthermore, I guess that other nice effect of the Reset button is a temporary power break to the motherboard without turning off the main power source (thus, it's like turning the PC off and back on, without affecting the power source). > : It is my understanding that the reset switch in most cases does reset > : everything. There are a few systems where the reset is the same as > : CTRL-ALT-DEL. However a virus can easily trap this interrupt... > IIRC, the RESET button triggers the reexecution of ROM code from > square one, so unless a virus gets into CMOS somehow (very likely as > discussed in past threads), there is no way for the virus to 'intercept' > a reset button press. I've been out of the list for quite a while so I haven't read such "past threads"... My understanding is that it's possible for a virus to corrupt the CMOS memory and even store executable code in there; however, there is no way to execute that code at startup, so it's unlikely. Am I wrong? Is there now a way to execute CMOS bytes as startup code? > What systems have reset the same as Ctrl-Alt-Del? I've never heard > of this before. There's a word in the ROM's data area in low RAM which you can modify. With certain value you may perform a "warm boot" (a boot skipping the RAM test) when you press the Ctrl-Alt-Del sequence. By using another value in that word, you may perform a "cold boot" (a boot including the RAM test and resetting RAM to all nulls), but again, a virus can trap this interrupt and manipulate this word to perform always a "warm boot", thus surviving to the next startup. - - Fabio Esquivel SYSDE e-Mail: fesq@sysde.co.cr Phone: (506) 293-2864 Fax: (506) 293-2812 ------------------------------ Date: Tue, 13 Aug 1996 11:03:12 -0600 From: George Wenzel Subject: Re: Catching virus in memory (PC) X-Digest: Volume 9 : Issue 139 In article <0030.01I88SPUK0R8XZPMBE@csc.canterbury.ac.nz>, quacht@cadvision.com says... >Hi, can anyone tell me how to get rid of memory viruses (RAM)????? You have to power down, and then boot up from a system floppy that is NOT infected with the virus. That will leave your hard drive infected, but with no virus in memory, an AV program can clean the hard drive, so the next time you boot, both memory and hard drive are clean. >I need a good virus scanner because I frequently download files from the >Internet, if anyone has a good virus scanner for DOS or Windows 3.1, can >you tell me where to get i? F-Prot is free for individual, non-commercial use. It's available from the SimTel archives. Regards, George Wenzel - - |\ zz _,,,--,,_ ,) George Wenzel /,`.-'`' -, ;-;;' |,4- ) )-,_ ) /\ U of A Karate Club Homepage: <---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Tue, 13 Aug 1996 14:50:41 -0400 (EDT) From: Karsten Ahlbeck <100554.2356@CompuServe.COM> Subject: Re:Catching virus in memory (PC) X-Digest: Volume 9 : Issue 139 wrote: >Hi, can anyone tell me how to get rid of memory viruses (RAM)????? I would guess most of the contributors here could: make a *clean* boot diskette (drive a!) with the FORMAT /S command. Whenever you boot with this one (turning the power off and then on again), you will not have a virus in memory. >I need a good virus scanner because I frequently download files from the >Internet, if anyone has a good virus scanner for DOS or Windows 3.1, can >you tell me where to get i? Now this one will most likely give you bunch of answers. A good scanner is Integrity Master (IM), which also does integrity analyzing (finds file corruption, regardless of cause). During setup IM will teach you a lot about computer viruses and data integrity. You will also be able to find memory changes (without booting clean) which could be due to new, unknown viruses. Integrity Master works with both Windows 3.1, Win 95 and DOS. You can find it at ftp://uwasa.garbo.fi/pc/virus/i_m302a.zip. Other sites at www.stiller.com. Yours sincerely, Karsten Ahlbeck Karahldata Swedish Integrity Master Agent ------------------------------ Date: Tue, 13 Aug 1996 17:38:51 -0300 (ADT) From: Danny Burke Subject: Re: F-prot for dos and the hare virus (PC) X-Digest: Volume 9 : Issue 139 Bob Kanish wrote: >With all the hype surrounding the hare virus, I decided to look in f-prot >2.23a's virlist.lis file and I found no evidence of any hare viruses. Am >I correct in assuming that f-prot for dos can not detect these viruses? >I'm as sure as any person can be that none of my computers has this >virus. I was just wondering this because this family of viruses appears >to be in the wild and it would surprise me if such a high-quality product >could not find them. You are correct but F-Prot has put out a file called f-hare15.zip which will both detect and clean this virus. It can be found at: ftp://ftp.datafellows.com/pub/f-prot/tools/f-hare15.zip Try it because it works. I too encountered Hare.7786 on the net and didn't realize F-Prot wouldn't catch it. Luckily I had just set up McAfee's version 2.51a (only 20 minutes earlier) to try out and it caught it. I submitted a copy of the file to Mr Bontchev and he confirmed the presence of the virus and steered me towards F-Prot's fix for it very quickly. The virus was in a crack file for Agent 99e that my son had downloaded. I also hear it is in several more crack files. Once again great service by F-Prot and I must honestly say McAfee did save my a**. Regards Danny ------------------------------ Date: Tue, 13 Aug 1996 15:06:30 -0700 (PDT) From: 13-Aug-1996 1807 <"stc::stevens"@ampakz.ENET.dec.com> Subject: Re: Report of Possible IDE Drive Trasher (PC) X-Digest: Volume 9 : Issue 139 :>This past weekend a friend of mine who runs a large bulletin board :>told me there is a new computer virus that has appeared last week. It :>attacks IDE drives, specifically C Drive. It rewrites the :>manufacturer's code at the beginning of the drive and then write :>protects it. The first time the computer is turned off and back on, :>the virus is activated. It turns C drive into a paperweight :>immediately. Information on partitions other than C drive can be :>recovered it you have the proper software. C drive cannot be : <> : :My first impression of this was that it probably is a hoax, especially :in light of the statements regarding drives having had high Internet :usage and the potential recoverability of partitions other than C:. :However, I haven't heard this one before, and on second thought it :sounds feasible if someone intimately familiar with the inner workings :of IDE drives decided to do something devious. I know that the :conventional wisdom says viruses can't destroy hardware, but they also :used to say that viruses couldn't infect data files - until macro :languages gave rise to Concept and its kin. Is anyone aware of an IDE- :trashing virus, or familiar enough with IDE internals to know if such :a virus is really possible? I just spoke with a Western Digital representative who said that their drives have an eprom that stores drive info, like the operating rpm, and like parameters, which can be rewritten. I am also familiar with connor drives manufactured for Dec that have an eprom. The Dec drives are scsi and configured not to spin up until notified by the interface (not the drive electronics, the host card). I have used utilities that change that particular parameter on those drives so they will autospin, but I don't know what other parameters are available. It wouldn't surprise me to learn that write protection was one of those parameters. I wouldn't say that this would mean that the drive was trashed, though. It is not unusual for a device to only read parameters at power up. Eprom configured lan card software often says to power off the machine and restart to enable the new parameters because a reset or will not cause the card to reread that eprom (depending on the card, of course). This fits what was reported; :>The first time the computer is turned off and back on, :>the virus is activated. Hopefully, the drives affected are only a software fix from being well. (I guess you can tell that I believe that this sort of virus is possible) Kurt ------------------------------ Date: Tue, 13 Aug 1996 19:16:58 +0000 (GMT) From: Iolo Davidson Subject: Re: Report of Possible IDE Drive Trasher (PC) X-Digest: Volume 9 : Issue 139 In article <0022.01I88SPUK0R8XZPMBE@csc.canterbury.ac.nz> CLAYTON.E.RUTH@slchicago.infonet.com "CLAYTON E RUTH" writes: > My first impression of this was that it probably is a hoax, I concur. (Technospeak for "me too") - - ON A HIGHWAY AD NOW GLAD HE HE SPIED IT TRIED IT BOUGHT A JAR Burma-Shave ------------------------------ Date: Wed, 14 Aug 1996 10:31:16 +0000 (GMT) From: Simon Loader Subject: Re: F-prot for dos and the hare virus (PC) X-Digest: Volume 9 : Issue 139 Bob Kanish (fireball!bkanish@uunet.uu.net) wrote: : With all the hype surrounding the hare virus, I decided to look in f-prot : 2.23a's virlist.lis file and I found no evidence of any hare viruses. Am : I correct in assuming that f-prot for dos can not detect these viruses? : I'm as sure as any person can be that none of my computers has this : virus. I was just wondering this because this family of viruses appears : to be in the wild and it would surprise me if such a high-quality product : could not find them. Well 2.23a came out before The hare virus came out ( Oh and so did 2.23b ) but if you goto the F-prot homepage you can download f-hare , which does what ever its suppose to do to the hare virus. - - FD ------------------------------ Date: Tue, 13 Aug 1996 11:22:06 +0000 (GMT) From: Csaba Markus Subject: Hard disk scrambled, MS-DOS [long] (PC) X-Digest: Volume 9 : Issue 139 I have a big big problem with my hard disk and I'd like to know if somebody has come across something like this, and/or is there any help or hints available that I could use to recover data from my hard disk. I don't know if the crash was caused by a virus, but it looks like it might well have been. Let me first shortly describe the symptoms, then I will describe the story in more detail: It looks like I've lost all data on my hard disk. 1st 'attack': The first 2 sectors of the root directory of the first partition were modified: every second byte was OR'ed with 80H. I could fix this problem by hand with a disk editor. 2nd 'attack': After running SCANDISK (also surface test), which said the disk is completely correct, I found almost all data sectors relocated by a varying offset of between 25 and 66 sectors. I could _not_ fix this problem. The corrupted partition hasn't been modified since. The story began when I installed a new 6x Mitsumi CD-ROM drive instead of the old 2x Panasonic drive. When the new one was in the right place, I ran the setup program to install the drivers for the IDE drive. The 2x Panasonic drive was connected through an ISA card and its drivers had to be replaced by ATAPI drivers. I used to have a 2x ATAPI CD-ROM long ago, and its drivers were still present on the hard disk, but I wanted to install the drivers that came with this new 6x drive. The setup program didn't ask many questions, it just required the directory name where the programs were to be copied. When all was done, the program exited, and two or three lines of garbage were printed and then came the DOS prompt. This was very strange because I started the setup program from within Norton Commander, so I rebooted the machine with Ctrl-Alt-Del. Then I didn't beleive my eyes: Instead of the usual startup sequence six or seven coloured lines appeared on the top of the screen, it looked like binary data was written to screen memory. Then I switched off the machine and switched it on again after a minute. But the machine did not boot. I got the "Non system disk or disk error" message, so I had to boot from floppy. No wonder why it didn't boot from hard disk: "dir c:" generated a whole screen of garbage. At least, the file/directory names, file sizes and dates were all damaged. After half an hour of poking around with a disk editor, I could figure out the following: The reason for the "dir c:" garbage was that the first two sectors of the root directory were modified: Bytes 1, 3, 5, etc. (i.e. all bytes with odd offsets) had their highest bit set to 1, all other bits remained OK. For example, the directory entry for command.com looked like this: 'C', 'O'+80H, 'M', 'M'+80H, 'A', 'N'+80H, 'D', ' '+80H, 'C', 'O'+80H, 'M' and this was of course followed by the other 21 bytes of the directory entry, every second one having been OR'ed with 80H. Because the damage was as regular as this, I could easily modify the two sectors by hand using a disk editor, to subtract 80H from the scrambled bytes. When it was done, I realized that the size of some files became too small (e.g. command.com, io.sys, msdos.sys), so I had to rewrite the relevant bytes by adding 80H to them. Then I booted from hard disk and it almost succeeded: The machine only hung when the new CD-ROM driver was invoked. So I booted from floppy again, eliminated the newly added lines from config.sys and autoexec.bat, and then the boot from hard disk went without any problems. I checked a few directories to see if the file system is OK, and I didn't find problems by hand. Then I invoked SCANDISK, and this program did find a bunch of damaged files: most of them were cross-linked and some of them were having, in SCANDISK's opinion, a wrong file size. I was very happy to see that none of the damaged files were important, so I let SCANDISK fix them, knowing that this would make those files unusable. This wasn't a problem for me: either I erased the corrupted files after the 'fixing' or I could replace them because I had them on floppy. I was very very pleased to see that none of the important files were lost. And this is the point. I planned to get the contents of the hard disk written to CD four days after (the crash happened on Tuesday and the CD-writing was planned to Saturday). When all the corrupted files had been erased or replaced, I ran SCANDISK again to see if the hard disk is all right now. As I expected, no errors were detected this time. At the end, SCANDISK asked me if I wanted to do a surface test as well. I let SCANDISK do it, and this was the fault! The surface test went without any problems, also the speed of the progress was usual. But at the end, when I happily chose 'Exit', I got a DOS prompt instead of the Norton Commander screen! Impossible, I thought. "dir c:\" produced normal output, but when I typed "dir c:\dos", the threatening garbage was all that appeared on the screen! All other subdirectories produced similar results! All this after a 'successful disk test without any problems'! Since then, I haven't changed a byte on the C: partition, because the trouble is very deep now. Thorough examination of the contents of the disk showed the following: The two copies of the FAT, the root directory and the first few (5-10) sectors of the data area are OK, but all the remaining sectors have been RELOCATED! The bad news is that the distance of the relocation is not constant. It varies between +25 and +66 sectors, and there seem to be contiguous blocks that have the same relocation offset. The size of these blocks are not clear to me yet, but it looks like a few clusters (one cluster = sixteen sectors (8K)). As you may guess, I can tell the relocation offset for the subdirectories only, using the link of the "." entry in the directory, which, in normal cases, should point to the same cluster where it's stored. Instead, I can find a subdirectory e.g. in the ninth sector of cluster 1214, which has a "." entry pointing to cluster 1213, resulting in an offset of 25 sectors. (these numbers are not accurate, it's just an example). It's _only_ the C: partition of the hard disk that has all these problems. I have two other DOS partitions, but they haven't been damaged at all (C: is 510Mb, D: is 200Mb and E: is 100Mb). I can read and write D: and E:, run programs from them, without any strange effects. There is, however, one big difference between C: and the other partitions: It's only C: that had important data stored on it, D: and E: is and has been effectively empty. (Hi, Mr. Murphy...) I tried the latest virus scanner from mcafee (9607, eval.) but no virus was found. The damaged partition, the healthy partitions, the CD-ROM drive's setup disk and my recently used floppies are all reported free from viruses. These were the facts, now some thoughts: - Because of the varying relocation offsets, some of the sectors are most probably lost forever. - Was this a virus? If so, it's one the nastiest ones I've ever heard of. Is there a recovery program available for this virus? I don't think so. - If it's a virus, how come the surface test said OK? If, say, the virus acts by writing to different sectors than requested, some of the sectors should be repeated all over the hard disk because sectors are read from and later written back to the disk during the surface test. I didn't see this repetition. Or does SCANDISK operate backwards, starting at the last sectors? - Was this a HW failure? - A HW failure of the hard disk or of the CD-ROM? - Or a nice cooperation of the two? - Do I have any chances to recover some of the data? Maybe I do, if I re-relocate the equally displaced sector blocks. - Is it worth bothering myself with this nightmare? Wouldn't it be more advantageous to simply "format c:"? It depends on how valuable the information on C: is. Oh, it's almost nothing. Only everything I have ever worked on in my life. Some of it is still available on floppies. Is it worth it? Sorry for being too wordy, but this all is so strange that I wouldn't perhaps beleive it if I hadn't seen it with my own eyes. Any comments are most welcome. Csaba Markus ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 139] ******************************************